TYPO3 Cross-Site Scripting Vulnerability
Purplemet Lab team discovered a cross-site scripting (XSS) vulnerability in TYPO3 6.2.0 to 6.2.38 ELTS and TYPO3 7.0.0 to 7.1.0 (CVE-2020-8091). These versions embed a third party component named SVG Web which provides svg.swf, a Flash file vulnerable to a cross-site scripting.
Update to TYPO3 6.2.39 ELTS or latest version for 6.2.x and TYPO3 7.x latest version. This component has been removed in 7.2 - see the commit.
Proof of concept
The vulnerability can be triggered using the following URL:
See TYPO3 Security Advisory TYPO3-PSA-2019-003.
Purplemet technology detection
Purplemet detects TYPO3 and flags SVG Web as Unsafe component.