Project

General

Profile

Actions

Bug #97930

closed

Harden distribution overview in extension manager

Added by Frank Nägler over 2 years ago. Updated about 1 month ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2022-07-13
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The distribution overview page is vulnerable for XSS.

If a distribution description contains XSS within the first 150 characters, the overview execute the code.

File: EXT:extensionmanager/Resources/Private/Partials/List/Distribution.html

Affected code: {distribution.description -> f:format.crop(maxCharacters: 150) -> f:format.raw()}

Reproduce: inject the code <script>alert('XSS');</script> to the description of an extension / distribution and open the overview.


Files

exteions.xml.gz.png (78.4 KB) exteions.xml.gz.png Oliver Hader, 2022-07-25 11:10

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #82000: Use new card layout for distributions list viewClosedMarkus Sommer2017-07-28

Actions
Actions

Also available in: Atom PDF