Resources

TYPO3 Cross-Site Scripting Vulnerability

,

October 21, 2019

|

2

min read

Vulnerability

Purplemet Lab team discovered a cross-site scripting (XSS) vulnerability in TYPO3 6.2.0 to 6.2.38 ELTS and TYPO3 7.0.0 to 7.1.0 (CVE-2020-8091). These versions embed a third party component named SVG Web which provides svg.swf, a Flash file vulnerable to a cross-site scripting.

Solution

Update to TYPO3 6.2.39 ELTS or latest version for 6.2.x and TYPO3 7.x latest version. This component has been removed in 7.2 - see the commit.

Proof of concept

The vulnerability can be triggered using the following URL:

                               http://ip/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert("XSS"),this.x=1}//
                           

Reference

See TYPO3 Security Advisory TYPO3-PSA-2019-003.

Purplemet technology detection

Purplemet detects TYPO3 and flags SVG Web as Unsafe component.

Purplemet detection of Web SVG

Continue reading

Product Updates

Purplemet Cloud 1.33.0 New Features

,

March 9, 2026

|

min read

Product Updates

Purplemet Cloud 1.8.0 New Features

,

December 31, 2020

|

4

min read

Product Updates

Purplemet Cloud 1.16.0 New Features

,

April 10, 2023

|

4

min read

Rejoignez plus de 100 entreprises. Reprenez le contrôle de votre surface d'attaque avec Purplemet

Purplemet
Planifier une démo
Obtenir une évaluation gratuite