Vulnerability CVE-2022-31048

Vulnerability Name:

CVE-2022-31048 (CCN-228848)

Assigned:

2022-06-14

Published:

2022-06-14

Updated:

2022-06-23

Summary:

TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. TYPO3 versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.

CVSS v3 Severity:

5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

5.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2022-31048

Source: XF
Type: UNKNOWN
typo3-cve202231048-xss(228848)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0

Source: CONFIRM
Type: Third Party Advisory
https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg

Source: CCN
Type: TYPO3-CORE-SA-2022-003
Cross-Site Scripting in Form Framework

Source: MISC
Type: Vendor Advisory
https://typo3.org/security/advisory/typo3-core-sa-2022-003

Vulnerable Configuration:

Configuration 1:

cpe:/a:typo3:typo3:*:*:*:*:*:*:*:* (Version >= 11.0.0 and < 11.5.11)

OR cpe:/a:typo3:typo3:*:*:*:*:*:*:*:* (Version >= 10.0.0 and < 10.4.29)

OR cpe:/a:typo3:typo3:*:*:*:*:elts:*:*:* (Version >= 8.0.0 and < 8.7.47)

OR cpe:/a:typo3:typo3:*:*:*:*:elts:*:*:* (Version >= 9.0.0 and < 9.5.35)

Denotes that component is vulnerable

BACK