Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-4459-qrcc-vfcf: TYPO3 Cross-Site Scripting in Form Framework

Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.

ghsa
Open in Source
#xss#vulnerability#git#perl
GHSA-76r3-m635-p3vc: TYPO3 Cross-Site Scripting in Language Pack Handling

Failing to properly encode information from external sources, language pack handling in the install tool is vulnerable to cross-site scripting.

GHSA-22q7-cg4r-p9mx: TYPO3 Cross-Site Scripting in Fluid ViewHelpers

Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting.

GHSA-ppvg-hw62-6ph9: TYPO3 Security Misconfiguration in Install Tool Cookie

It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.

GHSA-8c25-vj2w-p72j: TYPO3 Cross-Site Scripting in Frontend User Login

Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile. Template patterns that are affected are - ###FEUSER_[fieldName]### using system extension felogin - <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken)

GHSA-g4c9-qfvw-fmr4: TYPO3 Cross-Site Scripting in Backend Modal Component

Failing to properly encode user input, notifications shown in modal windows in the TYPO3 backend are vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.

GHSA-wg8h-gxf4-g4gh: TYPO3 Cross-Site Scripting in Online Media Asset Rendering

Failing to properly encode user input, online media asset rendering (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.

ORing IAP-420 2.01e Cross Site Scripting / Command Injection

ORing IAP-420 version 2.01e suffers from remote command injection and persistent cross site scripting vulnerabilities.

Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities

Cybersecurity researchers have warned that multiple high-severity security vulnerabilities in WordPress plugins are being actively exploited by threat actors to create rogue administrator accounts for follow-on exploitation. "These vulnerabilities are found in various WordPress plugins and are prone to unauthenticated stored cross-site scripting (XSS) attacks due to inadequate input sanitization

GHSA-pp7v-wxx9-hm6r: Thelia BackOffice default template vulnerable to Cross-site Scripting

The BackOffice of Thelia (`error.html` template) has a cross-site scripting vulnerability in version 2.1.0 and 2.1.1 but not version 2.0.X. Version 2.1.2 contains a patch for the issue.