CVE-2016-4056 – Stored Cross-Site Scripting in TYPO3 Bookmarks
1. Vulnerability Properties
- Title: Stored Cross-Site Scripting in TYPO3 Bookmarks
- CVE ID: CVE-2016-4056
- CVSSv3 Base Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
- Vendor: TYPO3
- Products: TYPO3 Core (6.2.x)
- Advisory Release Date: 24 February 2016
- Advisory URL: https://labs.integrity.pt/advisories/cve-pending-stored-cross-site-scripting-in-typo3-bookmarks
- Credits: Discovery by Filipe Reis <fr[at]integrity.pt>
2. Vulnerability Summary
TYPO3 core is vulnerable to stored cross-site scripting when a bookmark is created.
3. Technical Details
This Stored-XSS can be exploited when a new bookmark is created.
To replicate this issue we go to any page and click on “Create a bookmark to this page”.
Click OK.
And now grab the POST request that is being passed to the server and change the module” parameter to your payload.
The response of this request will be the following:
Now the page will redirect and the Stored-XSS will be there.
4. Vulnerable Versions
- TYPO3 6.2.x
5. Solution
- Update to TYPO3 6.2.19 or latest.
6. Vulnerability Timeline
- February 15, 2016 — Bug reported to TYPO3
- February 15, 2016 — TYPO3 team acknowledges the vulnerability
- February 23, 2016 — TYPO3 team releases a new version
- February 24, 2016 — Public disclosure