Miggo Logo
Miggo Vulnerability Database
CVE-2022-31048

CVE-2022-31048: Cross-Site Scripting in TYPO3's Form Framework

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-31048
GHSA ID
GHSA-3r95-23jp-mhvg
EPSS Score
0.71907%
CWE
CWE-79
Published
6/17/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 8.0.0, < 8.7.478.7.47
typo3/cms-corecomposer>= 9.0.0, < 9.5.359.5.35
typo3/cms-corecomposer>= 10.0.0, < 10.4.2910.4.29
typo3/cms-corecomposer>= 11.0.0, < 11.5.1111.5.11
typo3/cmscomposer>= 10.0.0, < 10.4.2910.4.29
typo3/cmscomposer>= 11.0.0, < 11.5.1111.5.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical XSS fixes replacing dangerous .html()/.append() calls with .text()/document.createTextNode(). Specifically:

  1. setStageHeadline() previously used .html(title) with unprocessed user input
  2. Multiple template property handlers directly appended user-controlled values like form element labels and identifiers without sanitization These patterns match classic DOM-based XSS vulnerabilities where attacker-controlled input flows into HTML injection sinks without proper encoding.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

> ### M*t* > * *VSS: `*VSS:*.*/*V:N/**:L/PR:L/UI:R/S:*/*:L/I:L/*:N/*:*/RL:O/R*:*` (*.*) ### Pro*l*m It **s ***n *is*ov*r** t**t t** *orm **si*n*r ***k*n* mo*ul* o* t** *orm *r*m*work is vuln*r**l* to *ross-sit* s*riptin*. * v*li* ***k*n* us*r ***oun

Reasoning

T** *ommit *i** s*ows *riti**l XSS *ix*s r*pl**in* **n**rous .*tml()/.*pp*n*() **lls wit* .t*xt()/*o*um*nt.*r**t*T*xtNo**(). Sp**i*i**lly: *. s*tSt*******lin*() pr*viously us** .*tml(titl*) wit* unpro**ss** us*r input *. Multipl* t*mpl*t* prop*rty **