Miggo Logo
Miggo Vulnerability Database
GHSA-8m6j-p5jv-v69w

GHSA-8m6j-p5jv-v69w: TYPO3 Cross-Site Scripting in Online Media Asset Rendering

5.4

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-8m6j-p5jv-v69w
EPSS Score
-
CWE
CWE-79
Published
6/7/2024
Updated
6/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cmscomposer>= 7.0.0, < 7.6.327.6.32
typo3/cmscomposer>= 8.0.0, < 8.7.218.7.21
typo3/cmscomposer>= 9.0.0, < 9.5.29.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper encoding in URL construction and HTML attribute generation. The patch diff shows critical changes: 1) Replacing urlencode() with rawurlencode() in OEmbed URL construction, 2) Adding htmlspecialchars() encoding in iframe src attributes, 3) Introducing proper attribute escaping via implodeAttributes(). The vulnerable functions directly handled user-controlled video IDs and URL parameters without sufficient encoding, enabling XSS when malicious content was injected into YouTube/Vimeo media identifiers. The high confidence comes from clear pre-patch absence of encoding and post-patch security-focused encoding additions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ilin* to prop*rly *n*o** us*r input, onlin* m**i* *ss*t r*n**rin* (`*.youtu**` *n* `*.vim*o` *il*s) is vuln*r**l* to *ross-sit* s*riptin*. * v*li* ***k*n* us*r ***ount or writ* ****ss on t** s*rv*r syst*m (*.*. S*TP) is n***** in or**r to *xploit t

Reasoning

T** vuln*r**ility st*ms *rom improp*r *n*o*in* in URL *onstru*tion *n* *TML *ttri*ut* **n*r*tion. T** p*t** *i** s*ows *riti**l ***n**s: *) R*pl**in* `url*n*o**()` wit* `r*wurl*n*o**()` in O*m*** URL *onstru*tion, *) ***in* `*tmlsp**i*l***rs()` *n*o*