Miggo Logo

CVE-2013-7078: TYPO3 Cross-site scripting (XSS) vulnerability in the Extbase Framework

2.6

CVSS Score

Basic Information

EPSS Score
0.64425%
Published
5/17/2022
Updated
8/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:H/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 4.5.0, < 4.5.314.5.31
typo3/cms-corecomposer>= 4.7.0, < 4.7.164.7.16
typo3/cms-corecomposer>= 6.1.0, < 6.1.66.1.6
typo3/cms-corecomposer>= 6.0.0, < 6.0.116.0.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies the errorAction method in Extbase's ActionController as the source of unencoded output in error messages. Multiple advisories (GHSA, CVE, TYPO3 security bulletin) confirm this method's role in returning user-controlled input without sanitization. The function's direct involvement in error handling and lack of context-aware escaping matches the XSS vulnerability pattern described.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in t** *rror**tion m*t*o* in t** **tion*ontroll*r **s* *l*ss in t** *xt**s* *r*m*work in TYPO* *.*.* t*rou** *.*.**, *.*.* t*rou** *.*.**, *.*.* t*rou** *.*.**, *n* *.*.* t*rou** *.*.*, w**n t** R*writt*n Prop

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** `*rror**tion` m*t*o* in *xt**s*'s **tion*ontroll*r *s t** sour** o* un*n*o*** output in *rror m*ss***s. Multipl* **visori*s (**S*, *V*, TYPO* s**urity *ull*tin) *on*irm t*is m*t*o*'s rol* in r*t