← back
CVE-2020-11064

Cross-Site Scripting in TYPO3 CMS

CVSS 5.4 MEDIUMEPSS 0.5%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.4EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
13 May 2020Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected products
TYPO3 · TYPO3 CMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-43gj-mj2w-wh46