svn commit: r487425 - head/security/vuxml
Tijl Coosemans
tijl at FreeBSD.org
Fri Dec 14 13:32:05 UTC 2018
On Fri, 14 Dec 2018 11:57:19 +0000 (UTC) Jochen Neumeister <joneum at FreeBSD.org> wrote:
> Author: joneum
> Date: Fri Dec 14 11:57:19 2018
> New Revision: 487425
> URL: https://svnweb.freebsd.org/changeset/ports/487425
>
> Log:
> Add entry for typo3-8 and typo3-9
>
> PR: 233935 233936
> Sponsored by: Netzkommune GmbH
>
> Modified:
> head/security/vuxml/vuln.xml
>
> Modified: head/security/vuxml/vuln.xml
> ==============================================================================
> --- head/security/vuxml/vuln.xml Fri Dec 14 11:28:43 2018 (r487424)
> +++ head/security/vuxml/vuln.xml Fri Dec 14 11:57:19 2018 (r487425)
> @@ -58,6 +58,68 @@ Notes:
> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> + <vuln vid="bab29816-ff93-11e8-b05b-00e04c1ea73d">
> + <topic>typo3 -- multiple vulnerabilities</topic>
> + <affects>
> + <package>
> + <name>typo3-8</name>
> + <range><lt>8.7.21</lt></range>
> + </package>
> + <package>
> + <name>typo3-9</name>
> + <range><lt>9.5.2</lt></range>
> + </package>
> + </affects>
> + <description>
> + <body xmlns="http://www.w3.org/1999/xhtml">
> + <p>Typo3 core team reports:</p>
> + <blockquote cite="https://typo3.org/article/typo3-952-8721-and-7632-security-releases-published/">
> + <p>CKEditor 4.11 fixes an XSS vulnerability in the HTML parser reported by maxarr.
> + The vulnerability stemmed from the fact that it was possible to execute XSS inside
> + the CKEditor source area after persuading the victim to: (i) switch CKEditor to
> + source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker,
> + into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.
> + Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.</p>
> + <p>Failing to properly encode user input, online media asset rendering
> + (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user
> + account or write access on the server system (e.g. SFTP) is needed in order to exploit this
> + vulnerability.</p>
> + <p>Failing to properly encode user input, notifications shown in modal windows in the TYPO3
> + backend are vulnerable to cross-site scripting. A valid backend user account is needed in
> + order to exploit this vulnerability.</p>
> + <p>Failing to properly encode user input, login status display is vulnerable to cross-site
> + scripting in the website frontend. A valid user account is needed in order to exploit this
> + vulnerability - either a backend user or a frontend user having the possibility to modify
> + their user profile.
> + Template patterns that are affected are:
> + ###FEUSER_[fieldName]### using system extension felogin
> + <!--###USERNAME###--> for regular frontend rendering (pattern can be
I've HTML encoded the < and > here in r487432.
More information about the svn-ports-all
mailing list