Project

General

Profile

Actions
Copy link

Bug #93335

closed

XSS in access permission module

Added by Oliver Hader almost 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2021-01-21
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Steps

  • having be_groups.title containing XSS
Group<img src="x" onerror="alert(1)">
  • open System > Access module for a particular page
  • click on groupname element
  • change to group containing XSS in title (prerequisite) & save
  • click on groupname element again
  • change to different group
  • click on "x" icon in order to revert change

XSS is executed

Reasons

buttonSelector.innerHTML = groupnameHtml;

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #93301: Remove jQuery from Permissions moduleClosed2021-01-16

Actions
Actions
Copy link
 #1

Updated by Oliver Hader almost 4 years ago

  • Affected Version set to master, 11.1-dev
Actions
Copy link
 #2

Updated by Oliver Hader almost 4 years ago

  • Related to Task #93301: Remove jQuery from Permissions module added
Actions
Copy link
 #3

Updated by Oliver Hader almost 4 years ago

  • Status changed from New to Accepted
Actions
Copy link
 #4

Updated by Oliver Hader almost 4 years ago

It seems this change was not released yet - I also could not reproduce the behavior in TYPO3 v10.
Given my assumptions are correct, this vulnerability can be fixed using the regular public workflow.

Actions
Copy link
 #5

Updated by Andreas Kienast almost 4 years ago

  • Project changed from 1716 to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)
  • Reporter deleted (Guido Schmechel)
  • OTRS-Sec Ticket-ID deleted (2021012010000027)
  • Affected Version deleted (master, 11.1-dev)

After talking with Olly, this issue becomes public as this affects the development branch only.

Actions
Copy link
 #6

Updated by Andreas Kienast almost 4 years ago

  • Status changed from Accepted to In Progress
Actions
Copy link
 #7

Updated by Gerrit Code Review almost 4 years ago

  • Status changed from In Progress to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67508

Actions
Copy link
 #8

Updated by Gerrit Code Review almost 4 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67508

Actions
Copy link
 #9

Updated by Gerrit Code Review almost 4 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67508

Actions
Copy link
 #10

Updated by Gerrit Code Review almost 4 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67508

Actions
Copy link
 #11

Updated by Andreas Fernandez almost 4 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #12

Updated by Benni Mack over 3 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF