CVE-2013-7078 — TYPO3 Cross-site scripting (XSS) vulnerability in the Extbase Framework

Description

Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message. NOTE: this might be the same vulnerability as CVE-2013-7072.

How to fix CVE-2013-7078

To remediate CVE-2013-7078, upgrade the affected package to a fixed version below.

—upgrade to 4.5.31 or later

Is CVE-2013-7078 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.5.0, < 4.5.31

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-7078
PATCHgithub.com/TYPO3-CMS/core
WEBosvdb.org/100885
WEBseclists.org/oss-sec/2013/q4/473
WEBseclists.org/oss-sec/2013/q4/487