TYPO3 Cross-Site Scripting Vulnerability

Vulnerability

Purplemet Lab team discovered a cross-site scripting (XSS) vulnerability in TYPO3 6.2.0 to 6.2.38 ELTS and TYPO3 7.0.0 to 7.1.0 (CVE-2020-8091). These versions embed a third party component named SVG Web which provides svg.swf, a Flash file vulnerable to a cross-site scripting.

Solution

Update to TYPO3 6.2.39 ELTS or latest version for 6.2.x and TYPO3 7.x latest version. This component has been removed in 7.2 - see the commit.

Proof of concept

The vulnerability can be triggered using the following URL:

                            
                                http://ip/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert("XSS"),this.x=1}//
                            
                        

Reference

See TYPO3 Security Advisory TYPO3-PSA-2019-003.

Purplemet technology detection

Purplemet detects TYPO3 and flags SVG Web as Unsafe component.