Typo3 core sanitizeLocalUrl() non-persistent cross-site scripting
Description
TYPO3 CMS versions 4.0.0-4.5.40, 6.2.0-6.2.14, and 7.0.0-7.3.0 contain a Cross-Site Scripting (XSS) vulnerability in the sanitizeLocalUrl() function. Attackers can bypass the existing XSS filter by encoding malicious JavaScript payloads using base64 within data URIs. This vulnerability requires user authentication and is non-persistent, meaning the malicious script executes only during the current session and is not stored in the application database.
Affected versions:
- Versions 4.0.0 to 4.5.40
- Versions 6.2.0 to 6.2.14
- Versions 7.0.0 to 7.3.0
Remediation
Immediately upgrade TYPO3 to a patched version that addresses this vulnerability:
- For version 6.2.x branch: Upgrade to TYPO3 6.2.15 or later
- For version 7.x branch: Upgrade to TYPO3 7.4.0 or later
- For version 4.x branch: Migrate to a supported version as the 4.x branch has reached end-of-life
To apply the update:
- Back up your current TYPO3 installation and database
- Download the appropriate patched version from the official TYPO3 website
- Follow the TYPO3 upgrade guide for your specific version
- Test the upgrade in a staging environment before deploying to production
- Clear all caches after upgrading
As an additional security measure, implement Content Security Policy (CSP) headers to provide defense-in-depth protection against XSS attacks, even after patching.