Skip to content

XSS in various backend modules due to (un)escaping in JS notification module

Moderate severity GitHub Reviewed Published May 18, 2022 in neos/neos-development-collection • Updated Jan 11, 2023

Package

composer neos/neos (Composer)

Affected versions

>= 3.3, < 5.3.10
>= 7.0.0, < 7.0.9
>= 7.1.0, < 7.1.7
>= 7.2.0, < 7.2.6
>= 7.3.0, < 7.3.4
>= 8.0.0, < 8.0.2

Patched versions

5.3.10
7.0.9
7.1.7
7.2.6
7.3.4
8.0.2

Description

The notification module displaying flash messages unscapes HTML coming from the server, resulting in XSS vulnerabilities with various names and labels of entities (eg. workspace title or media title). This however means you must be a logged in user with respective rights in the first place to leverage the attack vector.

References

@kdambekalns kdambekalns published to neos/neos-development-collection May 18, 2022
Published to the GitHub Advisory Database May 25, 2022
Reviewed May 25, 2022
Last updated Jan 11, 2023

Severity

Moderate

EPSS score

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-jfxf-4frr-9j3q

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.