Project

General

Profile

Bug #84191

Updated by Helmut Hummel almost 6 years ago

The page module, when selecting the rootpage, show $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], 
 but fails to properly html encode the value. 

 Thanks to Pradeep Jairamani for reporting that privately to security@typo3.org 

 Although this can be considered as stored XSS vulnerability, we can follow our policy to handle this case in public, 
 because it is only exploitable by admins. value

Back