Miggo Logo

CVE-2019-25094: typo3-appointments vulnerable to Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.18664%
Published
1/4/2023
Updated
10/20/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
innologi/typo3-appointmentscomposer< 2.0.62.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper output encoding of user-controlled formfield values. The patch replaces vulnerable Fluid ViewHelpers (f:format.html and f:format.htmlentities) with f:format.htmlspecialchars across multiple templates. These functions were vulnerable because:

  1. f:format.html directly outputs HTML without sanitization
  2. f:format.htmlentities uses HTML entity encoding which doesn't prevent all XSS contexts
  3. The affected templates handle user-controllable inputs like address fields, form labels, and appointment properties that require HTML special character escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, w*s *oun* in innolo*i *ppointm*nts *xt*nsion up to *.*.*. T*is *****ts *n unknown p*rt o* t** *ompon*nt *ppointm*nt **n*l*r. T** m*nipul*tion o* t** *r*um*nt *orm*i*l* l***s to *ross sit* s*riptin

Reasoning

T** vuln*r**ility st*ms *rom improp*r output *n*o*in* o* us*r-*ontroll** *orm*i*l* v*lu*s. T** p*t** r*pl***s vuln*r**l* *lui* Vi*w**lp*rs (*:*orm*t.*tml *n* *:*orm*t.*tml*ntiti*s) wit* *:*orm*t.*tmlsp**i*l***rs **ross multipl* t*mpl*t*s. T**s* *un*t