CVE-2016-4056 - Stored Cross-Site Scripting in TYPO3 Bookmarks

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in TYPO3 Bookmarks
CVE ID: CVE-2016-4056
CVSSv3 Base Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
Vendor: TYPO3
Products: TYPO3 Core (6.2.x)
Advisory Release Date: 24 February 2016
Advisory URL: https://labs.integrity.pt/advisories/cve-pending-stored-cross-site-scripting-in-typo3-bookmarks
Credits: Discovery by Filipe Reis <fr[at]integrity.pt>

2. Vulnerability Summary

TYPO3 core is vulnerable to stored cross-site scripting when a bookmark is created.

3. Technical Details

This Stored-XSS can be exploited when a new bookmark is created.

To replicate this issue we go to any page and click on "Create a bookmark to this page".

1

Click OK.

2

And now grab the POST request that is being passed to the server and change the "module" parameter to your payload.

3

The response of this request will be the following:

4

Now the page will redirect and the Stored-XSS will be there.

5

4. Vulnerable Versions

  • TYPO3 6.2.x

5. Solution

  • Update to TYPO3 6.2.19 or latest.

6. Vulnerability Timeline

  • February 15, 2016 — Bug reported to TYPO3
  • February 15, 2016 — TYPO3 team acknowledges the vulnerability
  • February 23, 2016 — TYPO3 team releases a new version
  • February 24, 2016 — Public disclosure

7. References

  • https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-006/