Miggo Logo

CVE-2010-3715: TYPO3 cross-site scripting (XSS) vulnerability in the RemoveXSS function and the backend

4.3

CVSS Score

Basic Information

EPSS Score
0.52631%
Published
5/17/2022
Updated
2/8/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-backendcomposer>= 4.2.0, < 4.2.154.2.15
typo3/cms-backendcomposer>= 4.3.0, < 4.3.74.3.7
typo3/cms-backendcomposer>= 4.4.0, < 4.4.44.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly cites the RemoveXSS function, and commit diffs (aba23d6/ce47d8d) show the flawed single-pass regex replacement was replaced with a while-loop to handle nested encodings. The backend-related XSS is mentioned in advisories but lacks specific function/file references in the provided data, making it impossible to identify concrete functions with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* s*riptin* (XSS) vuln*r**iliti*s in TYPO* *.*.x ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llow r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* v**tors r*l*t** to (*) t** R*mov*XSS *un*tion, *n* *llow r*

Reasoning

T** vuln*r**ility *xpli*itly *it*s t** `R*mov*XSS` *un*tion, *n* *ommit *i**s (*******/*******) s*ow t** *l*w** sin*l*-p*ss r***x r*pl***m*nt w*s r*pl**** wit* * w*il*-loop to **n*l* n*st** *n*o*in*s. T** ***k*n*-r*l*t** XSS is m*ntion** in **visori*