Vulnerability Details : CVE-2022-36108
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `f:asset.css` view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-36108
- cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36108
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-36108
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L |
2.3
|
3.7
|
GitHub, Inc. |
CWE ids for CVE-2022-36108
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-36108
-
https://github.com/TYPO3/typo3/commit/6863f73818c36b0b88c677ba533765c8074907b4
[SECURITY] Encode child node variables in f:asset.css view helper · TYPO3/typo3@6863f73 · GitHubPatch;Third Party Advisory
-
https://typo3.org/security/advisory/typo3-core-sa-2022-010
TYPO3-CORE-SA-2022-010: Cross-Site Scripting in <f:asset.css> view helperVendor Advisory
-
https://github.com/TYPO3/typo3/security/advisories/GHSA-fv2m-9249-qx85
Cross-Site Scripting in <f:asset.css> view helper · Advisory · TYPO3/typo3 · GitHubThird Party Advisory
Jump to