CVE-2019-25094: typo3-appointments vulnerable to Cross-site Scripting
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.18664%
CWE
Published
1/4/2023
Updated
10/20/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
innologi/typo3-appointments | composer | < 2.0.6 | 2.0.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper output encoding of user-controlled formfield values. The patch replaces vulnerable Fluid ViewHelpers (f:format.html and f:format.htmlentities) with f:format.htmlspecialchars across multiple templates. These functions were vulnerable because:
- f:format.html directly outputs HTML without sanitization
- f:format.htmlentities uses HTML entity encoding which doesn't prevent all XSS contexts
- The affected templates handle user-controllable inputs like address fields, form labels, and appointment properties that require HTML special character escaping.