DSA-2455-1 typo3-src -- missing input sanitizationID: oval:org.secpod.oval:def:600783 | Date: (C)2012-04-27 (M)2022-10-10 |
Class: PATCH | Family: unix |
Helmut Hummel of the typo3 security team discovered that typo3, a web content management system, is not properly sanitizing output of the exception handler. This allows an attacker to conduct cross-site scripting attacks if either third-party extensions are installed that do not sanitize this output on their own or in the presence of extensions using the extbase MVC framework which accept objects to controller actions.