漏洞标题
通过富文本内容的跨站脚本攻击
漏洞描述信息
通过富文本内容的跨站脚本攻击
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
N/A
漏洞标题
Cross-Site Scripting via Rich-Text Content
漏洞描述信息
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
TYPO3跨站脚本漏洞
漏洞描述信息
TYPO3是瑞士TYPO3(Typo3)协会的一套免费开源的内容管理系统(框架)(CMS/CMF)。 TYPO3存在跨站脚本漏洞,该漏洞源于如果受影响的版本不能正确地解析、清理和编码恶意富文本内容,那么网站前端的内容呈现过程很容易受到跨站点脚本的攻击。
CVSS信息
N/A
漏洞类别
跨站脚本