CVE-2010-3715: TYPO3 cross-site scripting (XSS) vulnerability in the RemoveXSS function and the backend
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.52631%
CWE
Published
5/17/2022
Updated
2/8/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
typo3/cms-backend | composer | >= 4.2.0, < 4.2.15 | 4.2.15 |
typo3/cms-backend | composer | >= 4.3.0, < 4.3.7 | 4.3.7 |
typo3/cms-backend | composer | >= 4.4.0, < 4.4.4 | 4.4.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly cites the RemoveXSS
function, and commit diffs (aba23d6/ce47d8d) show the flawed single-pass regex replacement was replaced with a while-loop to handle nested encodings. The backend-related XSS is mentioned in advisories but lacks specific function/file references in the provided data, making it impossible to identify concrete functions with high confidence.