5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-11064

GHSA ID

GHSA-43gj-mj2w-wh46

EPSS Score

0.43188%

CWE

CWE-79

Published

5/13/2020

Updated

2/5/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-11064

CVE-2020-11064: Cross-Site Scripting in TYPO3 CMS Form Engine

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.

Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.

References

https://typo3.org/security/advisory/typo3-core-sa-2020-002

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-11064

GHSA ID

GHSA-43gj-mj2w-wh46

EPSS Score

0.43188%

CWE

CWE-79

Published

5/13/2020

Updated

2/5/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 9.0.0, < 9.5.17	9.5.17
typo3/cms-core	composer	>= 10.0.0, < 10.4.2	10.4.2
typo3/cms	composer	>= 10.0.0, < 10.4.2	10.4.2
typo3/cms	composer	>= 9.0.0, < 9.5.17	9.5.17

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerable functions are likely related to the processing and rendering of form elements in the TYPO3 CMS Form Engine. The exact functions were identified based on the component affected (Form Engine) and the nature of the vulnerability (XSS in placeholder attributes). The confidence level is medium because while the functions are plausible candidates based on the information provided, the exact patch details are not available to confirm their involvement.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In TYPO* *MS *r**t*r t**n or *qu*l to *.*.* *n* l*ss t**n *.*.** *n* *r**t*r t**n or *qu*l to **.*.* *n* l*ss t**n **.*.*, it **s ***n *is*ov*r** t**t *TML `pl****ol**r` *ttri*ut*s *ont*inin* **t* o* ot**r **t***s* r**or*s *r* vuln*r**l* to *ross-sit

Reasoning

T** vuln*r**l* *un*tions *r* lik*ly r*l*t** to t** pro**ssin* *n* r*n**rin* o* *orm *l*m*nts in t** TYPO* *MS *orm *n*in*. T** *x**t *un*tions w*r* i**nti*i** **s** on t** *ompon*nt *****t** (*orm *n*in*) *n* t** n*tur* o* t** vuln*r**ility (XSS in `

5.4

Basic Information

Concerned about an active attack path?

CVE-2020-11064: Cross-Site Scripting in TYPO3 CMS Form Engine

References

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI