CVE-2022-36108 TYPO3 is an open source PHP web content management system. The f:asset.css view helper is vulnerable to cross-site scripting when user input is passed as variables.

When updating, be sure to check the version of TYPO3 installed on the server and don’t forget to restart all running services. If you are using a version below 10.4.32 or 11.5.16, there is no way to fix this. You’ll have to upgrade to one of the above versions to be safe. During the upgrade it’s a good idea to disable the use of f:asset.css view helpers by creating a new empty file and adding the following code to this file: ``` ? if(!TYPO3.TYPO3_ENV.IS_TYPO3_OR_PMS) { TYPO3.TYPO3_ENV.HANDLER_CSS = 'Views/Helper/CSS/File.css'; } ?>

Apache & nginx

If you have Apache, nginx, or any other web server that supports FastCGI, it can be used for the TYPO3 CMS.

Timeline

Published on: 09/13/2022 18:15:00 UTC
Last modified on: 09/16/2022 14:25:00 UTC

References

• https://github.com/TYPO3/typo3/security/advisories/GHSA-fv2m-9249-qx85
• https://github.com/TYPO3/typo3/commit/6863f73818c36b0b88c677ba533765c8074907b4
• https://typo3.org/security/advisory/typo3-core-sa-2022-010
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36108