6 minutes read

TYPO3 Cross-Site Scripting Vulnerability

Purplemet Lab

October 21, 2019


Purplemet Lab team discovered a cross-site scripting (XSS) vulnerability in TYPO3 6.2.0 to 6.2.38 ELTS and TYPO3 7.0.0 to 7.1.0 (CVE-2020-8091). These versions embed a third party component named SVG Web which provides svg.swf, a Flash file vulnerable to a cross-site scripting.


Update to TYPO3 6.2.39 ELTS or latest version for 6.2.x and TYPO3 7.x latest version. This component has been removed in 7.2 - see the commit.

Proof of concept

The vulnerability can be triggered using the following URL:



See TYPO3 Security Advisory TYPO3-PSA-2019-003.

Purplemet technology detection

Purplemet detects TYPO3 and flags SVG Web as Unsafe component.

Purplemet detection of Web SVG