CVE-2014-7200 in dmmjobcontrol
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in pi1/class.tx_dmmjobcontrol_pi1.php in the JobControl (dmmjobcontrol) extension 2.14.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via the tx_dmmjobcontrol_pi1[search][keyword] parameter to jobs/.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/26/2025
The CVE-2014-7200 vulnerability represents a critical cross-site scripting flaw within the TYPO3 JobControl extension, specifically affecting versions 2.14.0 and earlier. This vulnerability resides in the pi1/class.tx_dmmjobcontrol_pi1.php file and exposes the system to remote code execution risks through web script injection. The flaw manifests when the tx_dmmjobcontrol_pi1[search][keyword] parameter is manipulated in the jobs/ endpoint, creating an exploitable vector for malicious actors to inject arbitrary web scripts or HTML content into the application's response.
The technical implementation of this vulnerability stems from inadequate input validation and output sanitization within the TYPO3 extension's search functionality. When users submit search queries through the keyword parameter, the system fails to properly escape or filter the input before rendering it in the web page context. This omission allows attackers to craft malicious payloads that execute within the browser context of legitimate users who view the affected search results. The vulnerability directly maps to CWE-79, which defines Cross-Site Scripting as a weakness where untrusted data is improperly incorporated into web page content without adequate sanitization.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform session hijacking, deface websites, steal sensitive user information, or redirect victims to malicious domains. Given that TYPO3 is a widely used content management system for enterprise applications, the exploitation of this vulnerability could compromise multiple websites simultaneously. Attackers could leverage this flaw to execute persistent XSS attacks, potentially gaining access to user sessions and sensitive data within the TYPO3 administrative interfaces.
Security professionals should implement immediate mitigations including input validation and output encoding for all user-supplied data within the search functionality. The recommended approach involves sanitizing the tx_dmmjobcontrol_pi1[search][keyword] parameter through proper HTML entity encoding before rendering any user input in the web response. Additionally, organizations should consider implementing Content Security Policy (CSP) headers to limit script execution contexts and prevent unauthorized code injection. The vulnerability aligns with ATT&CK technique T1059.001, which describes the use of scripting languages for code execution, and T1566.001, which covers the exploitation of web application vulnerabilities for initial access. Regular security updates and patch management processes should be prioritized to address similar vulnerabilities in third-party TYPO3 extensions, as this flaw demonstrates the critical importance of maintaining up-to-date software components in enterprise web environments.