CVE-2010-5098: TYPO3 Cross-site scripting (XSS) vulnerability in the FORM content object
3.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.59481%
CWE
Published
5/17/2022
Updated
2/7/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:M/Au:S/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
typo3/cms-frontend | composer | >= 4.2.0, < 4.2.16 | 4.2.16 |
typo3/cms-frontend | composer | >= 4.4.0, < 4.4.5 | 4.4.5 |
typo3/cms-frontend | composer | >= 4.3.0, < 4.3.9 | 4.3.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The key evidence comes from the patch commit (3c5d152) which shows two critical changes: 1) Added t3lib_div::removeXSS() to sanitize form labels, and 2) Added htmlspecialchars() to sanitize fieldnames. These changes directly address unvalidated user input in the FORM content object's processing logic. The vulnerability matches the CWE-79 pattern of improper output encoding during form rendering, and the patch confirms the exact location of the vulnerability in the FORM method of class.tslib_content.php.