CVE-2016-4056 - Stored Cross-Site Scripting in TYPO3 Bookmarks

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in TYPO3 Bookmarks
CVE ID: CVE-2016-4056
CVSSv3 Base Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
Vendor: TYPO3
Products: TYPO3 Core (6.2.x)
Advisory Release Date: 24 February 2016
Advisory URL: https://labs.integrity.pt/advisories/cve-pending-stored-cross-site-scripting-in-typo3-bookmarks
Credits: Discovery by Filipe Reis <fr[at]integrity.pt>

2. Vulnerability Summary

TYPO3 core is vulnerable to stored cross-site scripting when a bookmark is created.

3. Technical Details

This Stored-XSS can be exploited when a new bookmark is created.

To replicate this issue we go to any page and click on "Create a bookmark to this page".

Click OK.

And now grab the POST request that is being passed to the server and change the "module" parameter to your payload.

The response of this request will be the following:

Now the page will redirect and the Stored-XSS will be there.

4. Vulnerable Versions

• TYPO3 6.2.x

5. Solution

• Update to TYPO3 6.2.19 or latest.

6. Vulnerability Timeline

• February 15, 2016 — Bug reported to TYPO3
• February 15, 2016 — TYPO3 team acknowledges the vulnerability
• February 23, 2016 — TYPO3 team releases a new version
• February 24, 2016 — Public disclosure

7. References

• https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-006/