Bug #93335

XSS in access permission module

Added by Oliver Hader about 1 month ago. Updated 5 days ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2021-01-21
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Steps

  • having be_groups.title containing XSS
Group<img src="x" onerror="alert(1)">
  • open System > Access module for a particular page
  • click on groupname element
  • change to group containing XSS in title (prerequisite) & save
  • click on groupname element again
  • change to different group
  • click on "x" icon in order to revert change

XSS is executed

Reasons

buttonSelector.innerHTML = groupnameHtml;

Related issues

Related to TYPO3 Core - Task #93301: Remove jQuery from Permissions moduleClosed2021-01-16

Actions
#1

Updated by Oliver Hader about 1 month ago

  • Affected Version set to master, 11.1-dev
#2

Updated by Oliver Hader about 1 month ago

  • Related to Task #93301: Remove jQuery from Permissions module added
#3

Updated by Oliver Hader about 1 month ago

  • Status changed from New to Accepted
#4

Updated by Oliver Hader about 1 month ago

It seems this change was not released yet - I also could not reproduce the behavior in TYPO3 v10.
Given my assumptions are correct, this vulnerability can be fixed using the regular public workflow.

#5

Updated by Andreas Fernandez about 1 month ago

  • Project changed from Core Security to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)
  • Reporter deleted (Guido Schmechel)
  • OTRS-Sec Ticket-ID deleted (2021012010000027)
  • Affected Version deleted (master, 11.1-dev)

After talking with Olly, this issue becomes public as this affects the development branch only.

#6

Updated by Andreas Fernandez about 1 month ago

  • Status changed from Accepted to In Progress
#7

Updated by Gerrit Code Review about 1 month ago

  • Status changed from In Progress to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67508

#8

Updated by Gerrit Code Review about 1 month ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67508

#9

Updated by Gerrit Code Review about 1 month ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67508

#10

Updated by Gerrit Code Review about 1 month ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67508

#11

Updated by Andreas Fernandez about 1 month ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#12

Updated by Benni Mack 5 days ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF