Bug #84191

$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] is not properly encoded in page module

Added by Helmut Hummel over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
Start date:
2018-03-09
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The page module, when selecting the rootpage, show $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'],
but fails to properly html encode the value.

Thanks to Pradeep Jairamani for reporting that privately to

Although this can be considered as stored XSS vulnerability, we can follow our policy to handle this case in public,
because it is only exploitable by admins.

#1

Updated by Gerrit Code Review over 3 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56083

#2

Updated by Helmut Hummel over 3 years ago

  • Description updated (diff)
  • Status changed from Under Review to New
#3

Updated by Gerrit Code Review over 3 years ago

  • Status changed from New to Under Review

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56085

#4

Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56087

#5

Updated by Helmut Hummel over 3 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#6

Updated by Benni Mack about 3 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF