Miggo Logo

CVE-2010-5098: TYPO3 Cross-site scripting (XSS) vulnerability in the FORM content object

3.5

CVSS Score

Basic Information

EPSS Score
0.59481%
Published
5/17/2022
Updated
2/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:M/Au:S/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-frontendcomposer>= 4.2.0, < 4.2.164.2.16
typo3/cms-frontendcomposer>= 4.4.0, < 4.4.54.4.5
typo3/cms-frontendcomposer>= 4.3.0, < 4.3.94.3.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key evidence comes from the patch commit (3c5d152) which shows two critical changes: 1) Added t3lib_div::removeXSS() to sanitize form labels, and 2) Added htmlspecialchars() to sanitize fieldnames. These changes directly address unvalidated user input in the FORM content object's processing logic. The vulnerability matches the CWE-79 pattern of improper output encoding during form rendering, and the patch confirms the exact location of the vulnerability in the FORM method of class.tslib_content.php.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in t** *ORM *ont*nt o*j**t in TYPO* *.*.x ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.*, *llows r*mot* *ut**nti**t** us*rs to inj**t *r*itr*ry w** s*ript or *TML vi* unsp**i*i** v**tors.

Reasoning

T** k*y *vi**n** *om*s *rom t** p*t** *ommit (*******) w*i** s*ows two *riti**l ***n**s: *) ***** t*li*_*iv::r*mov*XSS() to s*nitiz* *orm l***ls, *n* *) ***** *tmlsp**i*l***rs() to s*nitiz* *i*l*n*m*s. T**s* ***n**s *ir**tly ***r*ss unv*li**t** us*r