Miggo Logo
Miggo Vulnerability Database
CVE-2021-28380

CVE-2021-28380:
Aimeos Typo3 extension contains Cross-site Scripting vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-28380
GHSA ID
GHSA-73wv-rgj7-vjj9
EPSS Score
0.50449%
CWE
CWE-79
Published
5/24/2022
Updated
8/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
aimeos/aimeos-typo3composer< 19.10.1219.10.12
aimeos/aimeos-typo3composer>= 20.0.0, < 20.10.520.10.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability reports indicate an XSS flaw in backend user input handling, but no specific code snippets, commit diffs, or patching details are available. While the vulnerability likely exists in functions processing backend user input for HTML output (e.g., controller actions or template rendering), the lack of concrete technical details about the implementation makes it impossible to identify exact functions/paths with high confidence. TYPO3 extensions typically use Fluid templates with auto-escaping, so the vulnerability might involve unsafe raw output directives or unescaped parameters in backend modules, but this remains speculative without code evidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *im*os (*k* *im*os s*op *n* *-*omm*r** *r*m*work) *xt*nsion ***or* **.**.** *n* **.x ***or* **.**.* *or TYPO* *llows *ross-sit* S*riptin* (XSS) vi* * ***k*n* us*r ***ount.

Reasoning

T** provi*** vuln*r**ility r*ports in*i**t* *n XSS *l*w in ***k*n* us*r input **n*lin*, *ut no sp**i*i* *o** snipp*ts, *ommit *i**s, or p*t**in* **t*ils *r* *v*il**l*. W*il* t** vuln*r**ility lik*ly *xists in *un*tions pro**ssin* ***k*n* us*r input *