CVE-2022-36108 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2022-36108

CVE-2022-36108

September 13, 2022

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the "f:asset.css" view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.

Related Resources (9)

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36108.yaml

https://github.com/TYPO3/typo3/security/advisories/GHSA-fv2m-9249-qx85

https://typo3.org/security/advisory/typo3-core-sa-2022-010

https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36108.json

https://github.com/TYPO3/typo3/commit/6863f73818c36b0b88c677ba533765c8074907b4

https://github.com/TYPO3/typo3

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36108.yaml

https://github.com/TYPO3/typo3/commit/c62e16fac031c270d9759c7261e504c7e25405df

https://nvd.nist.gov/vuln/detail/CVE-2022-36108

Do you need more information?

CVSS v4

Base Score:

5.1

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

PASSIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

LOW

CVSS v3

Base Score:

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

EPSS

Base Score:

0.69

Products

Solutions

Resources

Company

Compare

Developer Tools