Project

General

Profile

Actions

Bug #84191

closed

$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] is not properly encoded in page module

Added by Helmut Hummel about 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
Start date:
2018-03-09
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The page module, when selecting the rootpage, show $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'],
but fails to properly html encode the value.

Thanks to Pradeep Jairamani for reporting that privately to

Although this can be considered as stored XSS vulnerability, we can follow our policy to handle this case in public,
because it is only exploitable by admins.

Actions

Also available in: Atom PDF