Bug #84191
closed
$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] is not properly encoded in page module
100%
Description
The page module, when selecting the rootpage, show $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'],
but fails to properly html encode the value.
Thanks to Pradeep Jairamani for reporting that privately to security@typo3.org
Although this can be considered as stored XSS vulnerability, we can follow our policy to handle this case in public,
because it is only exploitable by admins.
Updated by Gerrit Code Review about 6 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56083
Updated by Helmut Hummel about 6 years ago
- Description updated (diff)
- Status changed from Under Review to New
Updated by Gerrit Code Review about 6 years ago
- Status changed from New to Under Review
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56085
Updated by Gerrit Code Review about 6 years ago
Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56087
Updated by Helmut Hummel about 6 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset d2c0ea7db3b31a796a82f9d39f77f9983beb7c35.
Updated by