CVE-2020-11064

Description

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML `placeholder` attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-002

How to fix CVE-2020-11064

To remediate CVE-2020-11064, upgrade the affected package to a fixed version below.

• —upgrade to 9.5.17 or later
• —upgrade to 10.4.2 or later
• —upgrade to 9.5.17 or later

Is CVE-2020-11064 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 9.0.0, < 9.5.17, >= 10.0.0, < 10.4.2
• >= 10.0.0, < 10.4.2
• >= 9.0.0, < 9.5.17

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-11064
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11064.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11064.yaml
• WEBgithub.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-43gj-mj2w-wh46