#VU42136 Cross-site scripting in TYPO3 - CVE-2013-7078
Vulnerability identifier: #VU42136
Vulnerability risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-79
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
TYPO3
Web applications /
CMS
Vendor: TYPO3
Description
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled,. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Mitigation
Install update from vendor's website.
Vulnerable software versions
TYPO3: 4.5 - 4.7.16, 6.0 - 6.1.6
External links
https://osvdb.org/100885
https://seclists.org/oss-sec/2013/q4/473
https://seclists.org/oss-sec/2013/q4/487
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-004
https://www.securityfocus.com/bid/64239
https://exchange.xforce.ibmcloud.com/vulnerabilities/89629
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
