Miggo Logo
Miggo Vulnerability Database
GHSA-wg8h-gxf4-g4gh

GHSA-wg8h-gxf4-g4gh: TYPO3 Cross-Site Scripting in Online Media Asset Rendering

6.1

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-wg8h-gxf4-g4gh
EPSS Score
-
CWE
CWE-79
Published
5/30/2024
Updated
5/30/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 8.0.0, < 8.7.218.7.21
typo3/cms-corecomposer>= 9.0.0, < 9.5.29.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from multiple layers of insufficient encoding:

  1. URL construction functions (getPublicUrl/getOEmbedUrl) failed to properly encode video IDs using rawurlencode(), allowing injection of malicious payloads into URLs
  2. Renderer classes directly inserted unescaped video URLs into iframe src attributes
  3. Attribute collection methods concatenated user-controlled parameters (like 'class', 'onclick') without HTML entity encoding

The commit patches show critical additions of rawurlencode() for video IDs and htmlspecialchars() for HTML attributes, confirming these were the vulnerable points. Test cases added in the commit specifically validate XSS escaping scenarios.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ilin* to prop*rly *n*o** us*r input, onlin* m**i* *ss*t r*n**rin* (*.youtu** *n* *.vim*o *il*s) is vuln*r**l* to *ross-sit* s*riptin*. * v*li* ***k*n* us*r ***ount or writ* ****ss on t** s*rv*r syst*m (*.*. S*TP) is n***** in or**r to *xploit t*is

Reasoning

T** vuln*r**ility st*mm** *rom multipl* l*y*rs o* insu**i*i*nt *n*o*in*: *. URL *onstru*tion *un*tions (**tPu*li*Url/**tO*m***Url) **il** to prop*rly *n*o** vi**o I*s usin* r*wurl*n*o**(), *llowin* inj**tion o* m*li*ious p*ylo**s into URLs *. R*n**r*