Skip to content

XSS in various backend modules due to (un)escaping in JS notification module

Moderate severity GitHub Reviewed Published May 18, 2022 in neos/neos-development-collection • Updated Jan 11, 2023

Package

composer neos/neos (Composer)

Affected versions

>= 3.3, < 5.3.10
>= 7.0.0, < 7.0.9
>= 7.1.0, < 7.1.7
>= 7.2.0, < 7.2.6
>= 7.3.0, < 7.3.4
>= 8.0.0, < 8.0.2

Patched versions

5.3.10
7.0.9
7.1.7
7.2.6
7.3.4
8.0.2

Description

The notification module displaying flash messages unscapes HTML coming from the server, resulting in XSS vulnerabilities with various names and labels of entities (eg. workspace title or media title). This however means you must be a logged in user with respective rights in the first place to leverage the attack vector.

References

@kdambekalns kdambekalns published to neos/neos-development-collection May 18, 2022
Published to the GitHub Advisory Database May 25, 2022
Reviewed May 25, 2022
Last updated Jan 11, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-jfxf-4frr-9j3q

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.