Vulnerability ID 5013

TYPO3 up to 4.6.6 HTML Sanitizing t3lib_div::RemoveXSS() cross site scripting

CVSSv3 Temp ScoreCurrent Exploit Price (≈)
8.4$0-$1k

A vulnerability classified as critical has been found in TYPO3. This affects the function t3lib_div::RemoveXSS() of the component HTML Sanitizing. The manipulation with an unknown input leads to a cross site scripting vulnerability. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable characters.

The weakness was presented 03/28/2012 by Chris John Riley. The advisory is shared for download at typo3.org. This vulnerability is uniquely identified as CVE-2012-1608 since 03/12/2012. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details are known, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 58541 (Debian DSA-2445-1 : typo3-src - several vulnerabilities), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Debian Local Security Checks.

Upgrading to version 4.4.14, 4.5.14, 4.6.7 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the databases at SecurityFocus (BID 52771), X-Force (74552), Secunia (SA48622) and Vulnerability Center (SBV-40298). Entries connected to this vulnerability are available at 5010, 5011 and 5012.

CVSSv3

Base Score: 8.8 [?]
Temp Score: 8.4 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:X/RL:O/RC:X [?]
Reliability: High

CVSSv2

Base Score: 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) [?]
Temp Score: 8.7 (CVSS2#E:ND/RL:OF/RC:ND) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Cross site scripting (CWE-20)
Local: No
Remote: Yes

Availability: No

Current Price Estimation: $10k-$25k (0-day) / $0-$1k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k


Nessus ID: 58541
Nessus Name: Debian DSA-2445-1 : typo3-src - several vulnerabilities
Nessus File: debian_DSA-2445.nasl
Nessus Family: Debian Local Security Checks
OpenVAS ID: 71247
OpenVAS Name: Debian Security Advisory DSA 2445-1 (typo3-src)
OpenVAS File: deb_2445_1.nasl
OpenVAS Family: Debian Local Security Checks

Countermeasures

Recommended: Upgrade
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known

Upgrade: TYPO3 4.4.14, 4.5.14, 4.6.7

Timeline

03/12/2012 CVE assigned
03/28/2012 +16 days Advisory disclosed
03/28/2012 +0 days Countermeasure disclosed
03/28/2012 +0 days VulnerabilityCenter entry assigned
03/30/2012 +2 days OSVDB entry created
04/04/2012 +5 days VulDB entry created
09/04/2012 +153 days NVD disclosed
07/03/2013 +302 days VulnerabilityCenter entry created
07/09/2015 +736 days VulDB entry updated

Sources

Advisory: typo3.org
Researcher: Chris John Riley
Confirmation: typo3.org

CVE: CVE-2012-1608 (mitre.org) (nvd.nist.org) (cvedetails.com)

SecurityFocus: 52771 - TYPO3 Core TYPO3-CORE-SA-2012-001 Multiple Remote Security Vulnerabilities
Secunia: 48622 - TYPO3 Multiple Vulnerabilities, Moderately Critical
X-Force: 74552
Vulnerability Center: 40298 - TYPO3 Multiple Versions Remote Cross-Site Scripting Vulnerability Related to the t3lib_div::RemoveXSS API Method, Medium
OSVDB: 80762 - TYPO3 HTML Sanitizing API t3lib_div::RemoveXSS() Method XSS Weakness

See also: 5010, 5011, 5012

Entry

Created: 04/04/2012
Updated: 07/09/2015
Entry: 86.9% complete