Bug #84191: $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] is not properly encoded in page module - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #84191

closed

$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] is not properly encoded in page module

Added by Helmut Hummel over 6 years ago. Updated about 6 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Target version:

8.7.11

Start date:

2018-03-09

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

The page module, when selecting the rootpage, show $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'],
but fails to properly html encode the value.

Thanks to Pradeep Jairamani for reporting that privately to security@typo3.org

Although this can be considered as stored XSS vulnerability, we can follow our policy to handle this case in public,
because it is only exploitable by admins.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Bug #84191

$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] is not properly encoded in page module

Updated by Gerrit Code Review over 6 years ago

Updated by Helmut Hummel over 6 years ago

Updated by Gerrit Code Review over 6 years ago

Updated by Gerrit Code Review over 6 years ago

Updated by Helmut Hummel over 6 years ago

Updated by Benni Mack about 6 years ago