VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-9mn3-51g6-zybx

Essentials
Severities (17)
References (9)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-9mn3-51g6-zybx
Aliases	GHSA-mxjf-hc9v-xgv2
Summary	ExtJS JavaScript framework used in TYPO3 vulnerable to Cross-site Scripting Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-mxjf-hc9v-xgv2
cvssv3.1	6.1	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2014-05-22-1.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2014-05-22-1.yaml
cvssv3.1	6.1	https://github.com/TYPO3/typo3
generic_textual	MODERATE	https://github.com/TYPO3/typo3
cvssv3.1	6.1	https://github.com/TYPO3/typo3/commit/32efb1b03573d51391126c90cd87c74b3dc457fb
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/32efb1b03573d51391126c90cd87c74b3dc457fb
cvssv3.1	6.1	https://github.com/TYPO3/typo3/commit/9bd777649e4022c89dbf39ca41988a594b5e94b8
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/9bd777649e4022c89dbf39ca41988a594b5e94b8
cvssv3.1	6.1	https://github.com/TYPO3/typo3/commit/c39bca9613c311dd12e61771dd311b1bb2283b8d
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/c39bca9613c311dd12e61771dd311b1bb2283b8d
cvssv3.1	6.1	https://github.com/TYPO3/typo3/commit/d554ac5323f3b0fac1fce4c2c491d0123badd669
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/d554ac5323f3b0fac1fce4c2c491d0123badd669
cvssv3.1	6.1	https://typo3.org/security/advisory/typo3-core-sa-2014-001
generic_textual	MODERATE	https://typo3.org/security/advisory/typo3-core-sa-2014-001
cvssv3.1	6.1	https://web.archive.org/web/20140531042943/http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001
generic_textual	MODERATE	https://web.archive.org/web/20140531042943/http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001

Reference id	Reference type	URL
		https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2014-05-22-1.yaml
		https://github.com/TYPO3/typo3
		https://github.com/TYPO3/typo3/commit/32efb1b03573d51391126c90cd87c74b3dc457fb
		https://github.com/TYPO3/typo3/commit/9bd777649e4022c89dbf39ca41988a594b5e94b8
		https://github.com/TYPO3/typo3/commit/c39bca9613c311dd12e61771dd311b1bb2283b8d
		https://github.com/TYPO3/typo3/commit/d554ac5323f3b0fac1fce4c2c491d0123badd669
		https://typo3.org/security/advisory/typo3-core-sa-2014-001
		https://web.archive.org/web/20140531042943/http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001
GHSA-mxjf-hc9v-xgv2		https://github.com/advisories/GHSA-mxjf-hc9v-xgv2

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2014-05-22-1.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TYPO3/typo3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TYPO3/typo3/commit/32efb1b03573d51391126c90cd87c74b3dc457fb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TYPO3/typo3/commit/9bd777649e4022c89dbf39ca41988a594b5e94b8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TYPO3/typo3/commit/c39bca9613c311dd12e61771dd311b1bb2283b8d

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TYPO3/typo3/commit/d554ac5323f3b0fac1fce4c2c491d0123badd669

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://typo3.org/security/advisory/typo3-core-sa-2014-001

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://web.archive.org/web/20140531042943/http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:11:18.105730+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-mxjf-hc9v-xgv2/GHSA-mxjf-hc9v-xgv2.json	36.1.3