Headline
CVE-2022-31049: [SECURITY] Avoid HTML injection in password recovery mail · TYPO3/typo3@da61177
TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, user submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.
Permalink
Browse files
[SECURITY] Avoid HTML injection in password recovery mail
The `receiverName` variable used in the password recovery mail of the Extbase felogin plugin was susceptible to HTML injection due to missing sanitization. The variable is now passed thru the `f:format.htmlspecialchars` ViewHelper.
Resolves: #96559 Releases: main, 11.5, 10.4 Change-Id: I60e23c161f7f2fcc87b8870345b10a4c31d7b8db Security-Bulletin: TYPO3-CORE-SA-2022-004 Security-References: CVE-2022-31049 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74904 Tested-by: Oliver Hader [email protected] Reviewed-by: Oliver Hader [email protected]
- Loading branch information
Related news
> ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.9) ### Problem User submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. ### Solution Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Christian Seifert who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue. ### References * [TYPO3-CORE-SA-2022-004](https://typo3.org/security/advisory/typo3-core-sa-2022-004)