8.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-x428-565f-8xj2

EPSS Score

CWE

CWE-22

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-x428-565f-8xj2

GHSA-x428-565f-8xj2: TYPO3 Arbitrary Code Execution and Cross-Site Scripting in Backend API

Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings.

A valid backend user account having access to modify values for fields pages.TSconfig and pages.tsconfig_includes is needed in order to exploit this vulnerability.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-x428-565f-8xj2

EPSS Score

CWE

CWE-22

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 8.0.0, < 8.7.27	8.7.27
typo3/cms-core	composer	>= 9.0.0, < 9.5.8	9.5.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two primary issues: 1) Lack of access control allowing non-admins to modify TSconfig fields, and 2) Insufficient path validation in TSconfig includes. The DataHandler's process_datamap is directly responsible for processing these fields without admin checks (fixed via the PagesTsConfigGuard hook in the patch). The TsConfigLoader's load method is implicated in the directory traversal vulnerability via 'tsconfig_includes', as the patch mentions mitigating traversal in static includes. While the exact pre-patch TsConfigLoader code isn't shown, the CWE-22 reference and commit message strongly suggest this component was vulnerable to path traversal during include resolution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***k*n* *PI *on*i*ur*tion usin* P*** TS*on*i* is vuln*r**l* to *r*itr*ry *o** *x**ution *n* *ross-sit* s*riptin*. TS*on*i* *i*l*s o* p*** prop*rti*s in ***k*n* *orms **n ** us** to inj**t m*li*ious s*qu*n**s. *i*l* ts*on*i*_in*lu**s is vuln*r**l* to

Reasoning

T** vuln*r**ility st*ms *rom two prim*ry issu*s: *) L**k o* ****ss *ontrol *llowin* non-**mins to mo*i*y TS*on*i* *i*l*s, *n* *) Insu**i*i*nt p*t* v*li**tion in TS*on*i* in*lu**s. T** **t***n*l*r's pro**ss_**t*m*p is *ir**tly r*sponsi*l* *or pro**ssi

8.8

Basic Information

Concerned about an active attack path?

GHSA-x428-565f-8xj2: TYPO3 Arbitrary Code Execution and Cross-Site Scripting in Backend API

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI