#xss

It has been discovered that Neos is vulnerable to several XSS attacks. Through these vulnerabilities, an attacker could tamper with page rendering, redirect victims to a fake login page, or capture user credentials (such as cookies). With the potential backdoor upload an attacker could gain access to the server itself, to an extent mainly limited by the server setup.

Failing to properly encode information from external sources, language pack handling in the install tool is vulnerable to cross-site scripting.

Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings. A valid backend user account having access to modify values for fields pages.TSconfig and pages.tsconfig_includes is needed in order to exploit this vulnerability.

Failing to properly encode user input, backend forms are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

Failing to properly encode user input, several places of the TYPO3 CMS are vulnerable to Cross-Site Scripting.

All link fields within the TYPO3 installation are vulnerable to Cross-Site Scripting as authorized editors can insert data commands by using the url scheme "data:".

Failing to properly encode user input, the page module is vulnerable to Cross-Site Scripting. A valid backend user account with permissions to edit plugins is needed to exploit this vulnerability.

Make sure to not expose the vendor directory to the publicly accessible document root. In composer managed installation, make sure to configure a dedicated web folder. In general it is recommended to not expose the complete typo3_src sources folder in the document root.

Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.