Vulnerability Name:

CVE-2022-31049 (CCN-228847)

Assigned:2022-06-14
Published:2022-06-14
Updated:2022-06-23
Summary:TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, user submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.
CVSS v3 Severity:5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
5.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2022-31049

Source: XF
Type: UNKNOWN
typo3-cve202231049-xss(228847)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/TYPO3/typo3/commit/da611775f92102d7602713003f4c79606c8a445d

Source: CONFIRM
Type: Third Party Advisory
https://github.com/TYPO3/typo3/security/advisories/GHSA-h4mx-xv96-2jgm

Source: CCN
Type: TYPO3-CORE-SA-2022-004
Cross-Site Scripting in Frontend Login Mailer

Source: MISC
Type: Vendor Advisory
https://typo3.org/security/advisory/typo3-core-sa-2022-004

Vulnerable Configuration:Configuration 1:
  • cpe:/a:typo3:typo3:*:*:*:*:*:*:*:* (Version >= 11.0.0 and < 11.5.11)
  • OR cpe:/a:typo3:typo3:*:*:*:*:*:*:*:* (Version >= 10.0.0 and < 10.4.29)
  • OR cpe:/a:typo3:typo3:*:*:*:*:elts:*:*:* (Version >= 9.0.0 and < 9.5.35)

    • * Denotes that component is vulnerable
    BACK
    typo3 typo3 *
    typo3 typo3 *
    typo3 typo3 *