Package Instance

TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7)

### Problem
Due to a parsing issue in upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of `typo3/html-sanitizer`.

### Solution
Update to `typo3/html-sanitizer` versions 1.0.7 or 2.0.16 that fix the problem described.

### Credits
Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue.

Cross-Site Scripting in TYPO3's Form Framework
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.9)

### Problem
It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability.

### Solution
Update to TYPO3 versions 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

### Credits
Thanks to Gabe Troyan who reported and fixed the issue.

### References
* [TYPO3-CORE-SA-2022-003](https://typo3.org/security/advisory/typo3-core-sa-2022-003)

Open Redirection in Login Handling
### Problem
It has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability.

### Solution
Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.

### Credits
Thanks to Alexander Kellner who reported this issue and to TYPO3 security team member Torben Hansen who fixed the issue.

### References
* [TYPO3-CORE-SA-2021-001](https://typo3.org/security/advisory/typo3-core-sa-2021-001)

TYPO3 CMS Stored Cross-Site Scripting via FileDumpController
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.0)

### Problem
It has been discovered that the `FileDumpController` (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account is needed to exploit this vulnerability.

### Solution
Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above.

### Credits
Thanks to Vautia who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.

### References
* [TYPO3-CORE-SA-2022-009](https://typo3.org/security/advisory/typo3-core-sa-2022-009)
* [Vulnerability Report on huntr.dev](https://huntr.dev/bounties/51e9b709-193c-41fd-bd4a-833aaca0bd4e/) (embargoed +30 days)

Cross-site Scripting
TYPO3 contains a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module (`_Web>View_`) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 contain a patch for this issue.

TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset
### Problem
When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions.

### Solution
Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

### References
* [TYPO3-CORE-SA-2022-014](https://typo3.org/security/advisory/typo3-core-sa-2022-014)

Cleartext storage of session identifier
User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.

### Solution
Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.

### Credits
Thanks to TYPO3 security team member Helmut Hummel who reported this issue and to TYPO3 core & security team members Benni Mack & Oliver Hader as well as TYPO3 contributor Markus Klein who fixed the issue.

Cross-Site Scripting in Content Preview
### Problem
It has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability.

### Solution
Update to TYPO3 versions 10.4.14, 11.1.1 that fix the problem described.

### Credits
Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.

### References
* [TYPO3-CORE-SA-2021-007](https://typo3.org/security/advisory/typo3-core-sa-2021-007)

TYPO3 CMS vulnerable to Cross-Site Scripting in <f:asset.css> view helper
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.1)

### Problem
It has been discovered that the `f:asset.css` view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. 

### Solution
Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem described above.

### Credits
Thanks to TYPO3 contributor member Frank Nägler who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.

### References
* [TYPO3-CORE-SA-2022-010](https://typo3.org/security/advisory/typo3-core-sa-2022-010)