-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from improper output encoding in the ConfirmationFinisher. The pre-patch version of executeInternal() returned the raw user-supplied 'message' value directly. The security fix introduced Fluid template rendering (with automatic HTML escaping) via StandaloneView, which indicates the original implementation lacked proper contextual encoding. The function's direct output of unescaped user input matches the XSS vulnerability pattern described in CWE-79.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| typo3/cms | composer | >= 8.0.0, < 8.7.23 | 8.7.23 |
| typo3/cms | composer | >= 9.0.0, < 9.5.4 | 9.5.4 |