cve-2022-31048
Vulnerability from cvelistv5
Published
2022-06-14 20:50
Modified
2024-08-03 07:03
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. TYPO3 versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.
References
security-advisories@github.comhttps://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvgThird Party Advisory
security-advisories@github.comhttps://typo3.org/security/advisory/typo3-core-sa-2022-003Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvgThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://typo3.org/security/advisory/typo3-core-sa-2022-003Vendor Advisory
Impacted products
Vendor Product Version
TYPO3 typo3 Version: >= 8.0.0, < 8.7.47
Version: >= 9.0.0, < 9.5.34
Version: >= 10.0.0, < 10.4.29
Version: >= 11.0.0, < 11.5.11
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:03:40.296Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://typo3.org/security/advisory/typo3-core-sa-2022-003"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.7.47"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c 9.5.34"
            },
            {
              "status": "affected",
              "version": "\u003e= 10.0.0, \u003c 10.4.29"
            },
            {
              "status": "affected",
              "version": "\u003e= 11.0.0, \u003c 11.5.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. TYPO3 versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-14T20:50:18",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://typo3.org/security/advisory/typo3-core-sa-2022-003"
        }
      ],
      "source": {
        "advisory": "GHSA-3r95-23jp-mhvg",
        "discovery": "UNKNOWN"
      },
      "title": "Cross-Site Scripting in Form Framework",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31048",
          "STATE": "PUBLIC",
          "TITLE": "Cross-Site Scripting in Form Framework"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "typo3",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 8.0.0, \u003c 8.7.47"
                          },
                          {
                            "version_value": "\u003e= 9.0.0, \u003c 9.5.34"
                          },
                          {
                            "version_value": "\u003e= 10.0.0, \u003c 10.4.29"
                          },
                          {
                            "version_value": "\u003e= 11.0.0, \u003c 11.5.11"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "TYPO3"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. TYPO3 versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg",
              "refsource": "CONFIRM",
              "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg"
            },
            {
              "name": "https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0",
              "refsource": "MISC",
              "url": "https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0"
            },
            {
              "name": "https://typo3.org/security/advisory/typo3-core-sa-2022-003",
              "refsource": "MISC",
              "url": "https://typo3.org/security/advisory/typo3-core-sa-2022-003"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-3r95-23jp-mhvg",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31048",
    "datePublished": "2022-06-14T20:50:18",
    "dateReserved": "2022-05-18T00:00:00",
    "dateUpdated": "2024-08-03T07:03:40.296Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:elts:*:*:*\", \"versionStartIncluding\": \"8.0.0\", \"versionEndExcluding\": \"8.7.47\", \"matchCriteriaId\": \"CD542E1B-F3BA-4816-B97D-D877EFADA02D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:elts:*:*:*\", \"versionStartIncluding\": \"9.0.0\", \"versionEndExcluding\": \"9.5.35\", \"matchCriteriaId\": \"83732441-A020-4401-A274-067B95354BB6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"10.0.0\", \"versionEndExcluding\": \"10.4.29\", \"matchCriteriaId\": \"272C6A8B-94DB-4A74-BB3A-24CD0486DFA7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"11.0.0\", \"versionEndExcluding\": \"11.5.11\", \"matchCriteriaId\": \"772D645D-5158-416C-BF2C-74E5E43EF1DC\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. TYPO3 versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.\"}, {\"lang\": \"es\", \"value\": \"TYPO3 es un sistema de administraci\\u00f3n de contenidos web de c\\u00f3digo abierto. En versiones anteriores a 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29 y 11.5.11, el m\\u00f3dulo backend del Dise\\u00f1ador de formularios de Form Framework es vulnerable a un ataque de tipo cross-site scripting. Es necesaria una cuenta de usuario backend v\\u00e1lida con acceso al m\\u00f3dulo de formularios para explotar esta vulnerabilidad. TYPO3 versiones 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29 y 11.5.11, contienen una correci\\u00f3n para el problema\"}]",
      "id": "CVE-2022-31048",
      "lastModified": "2024-11-21T07:03:47.067",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2022-06-14T21:15:16.120",
      "references": "[{\"url\": \"https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://typo3.org/security/advisory/typo3-core-sa-2022-003\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://typo3.org/security/advisory/typo3-core-sa-2022-003\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31048\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-06-14T21:15:16.120\",\"lastModified\":\"2024-11-21T07:03:47.067\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. TYPO3 versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.\"},{\"lang\":\"es\",\"value\":\"TYPO3 es un sistema de administraci\u00f3n de contenidos web de c\u00f3digo abierto. En versiones anteriores a 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29 y 11.5.11, el m\u00f3dulo backend del Dise\u00f1ador de formularios de Form Framework es vulnerable a un ataque de tipo cross-site scripting. Es necesaria una cuenta de usuario backend v\u00e1lida con acceso al m\u00f3dulo de formularios para explotar esta vulnerabilidad. TYPO3 versiones 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29 y 11.5.11, contienen una correci\u00f3n para el problema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:elts:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.7.47\",\"matchCriteriaId\":\"CD542E1B-F3BA-4816-B97D-D877EFADA02D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:elts:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.5.35\",\"matchCriteriaId\":\"83732441-A020-4401-A274-067B95354BB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.4.29\",\"matchCriteriaId\":\"272C6A8B-94DB-4A74-BB3A-24CD0486DFA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndExcluding\":\"11.5.11\",\"matchCriteriaId\":\"772D645D-5158-416C-BF2C-74E5E43EF1DC\"}]}]}],\"references\":[{\"url\":\"https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-core-sa-2022-003\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-core-sa-2022-003\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.