2.6

CVSS Score

Basic Information

CVE ID

CVE-2013-7078

GHSA ID

GHSA-qj69-chjp-g4f5

EPSS Score

0.64425%

CWE

CWE-79

Published

5/17/2022

Updated

8/28/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-7078

CVE-2013-7078: TYPO3 Cross-site scripting (XSS) vulnerability in the Extbase Framework

Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message. NOTE: this might be the same vulnerability as CVE-2013-7072.

(GitHub Advisory)

2.6

CVSS Score

Basic Information

CVE ID

CVE-2013-7078

GHSA ID

GHSA-qj69-chjp-g4f5

EPSS Score

0.64425%

CWE

CWE-79

Published

5/17/2022

Updated

8/28/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

AV:N/AC:H/Au:N/C:N/I:P/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 4.5.0, < 4.5.31	4.5.31
typo3/cms-core	composer	>= 4.7.0, < 4.7.16	4.7.16
typo3/cms-core	composer	>= 6.1.0, < 6.1.6	6.1.6
typo3/cms-core	composer	>= 6.0.0, < 6.0.11	6.0.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies the errorAction method in Extbase's ActionController as the source of unencoded output in error messages. Multiple advisories (GHSA, CVE, TYPO3 security bulletin) confirm this method's role in returning user-controlled input without sanitization. The function's direct involvement in error handling and lack of context-aware escaping matches the XSS vulnerability pattern described.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in t** *rror**tion m*t*o* in t** **tion*ontroll*r **s* *l*ss in t** *xt**s* *r*m*work in TYPO* *.*.* t*rou** *.*.**, *.*.* t*rou** *.*.**, *.*.* t*rou** *.*.**, *n* *.*.* t*rou** *.*.*, w**n t** R*writt*n Prop

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** `*rror**tion` m*t*o* in *xt**s*'s **tion*ontroll*r *s t** sour** o* un*n*o*** output in *rror m*ss***s. Multipl* **visori*s (**S*, *V*, TYPO* s**urity *ull*tin) *on*irm t*is m*t*o*'s rol* in r*t

2.6

Basic Information

Concerned about an active attack path?

CVE-2013-7078: TYPO3 Cross-site scripting (XSS) vulnerability in the Extbase Framework

2.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI