Miggo Logo
Miggo Vulnerability Database
GHSA-85ch-44w7-rf32

GHSA-85ch-44w7-rf32: TYPO3 Cross-Site Scripting in Fluid ViewHelpers

6.1

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-85ch-44w7-rf32
EPSS Score
-
CWE
CWE-79
Published
6/7/2024
Updated
6/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cmscomposer>= 8.0.0, < 8.7.238.7.23
typo3/cmscomposer>= 9.0.0, < 9.5.49.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from three Fluid ViewHelpers that improperly handled user input encoding. The commit diff shows critical fixes: 1) HtmlentitiesViewHelper switched from ENT_COMPAT to ENT_QUOTES (to encode single quotes) and added string casting, 2) StripTagsViewHelper and UrlencodeViewHelper added checks for __toString() objects and enforced string casting. These functions directly process user input for output rendering, and their pre-patch behavior allowed XSS vectors through incomplete encoding and object handling. The test cases added in the commit explicitly verify proper encoding of objects with __toString(), confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ilin* to prop*rly *n*o** us*r input, t*mpl*t*s usin* *uilt-in *lui* Vi*w**lp*rs *r* vuln*r**l* to *ross-sit* s*riptin*.

Reasoning

T** vuln*r**ility st*ms *rom t*r** *lui* Vi*w**lp*rs t**t improp*rly **n*l** us*r input *n*o*in*. T** *ommit *i** s*ows *riti**l *ix*s: *) *tml*ntiti*sVi*w**lp*r swit**** *rom *NT_*OMP*T to *NT_QUOT*S (to *n*o** sin*l* quot*s) *n* ***** strin* **stin