Cross-Site Scripting in TYPO3 Flow

It has been discovered that TYPO3 Flow is susceptible to Cross-Site Scripting.

– Written by

Component Type: TYPO3 Flow
Affected Versions: 1.1.0, 2.0.0 and current development branch.
Release Date: December 10, 2013

Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C
CVE: CVE-2013-7082

Problem Description: The errorAction method in the ActionController base class of Flow returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Flow driven applications.

Hint: If you have customized the error action in your Flow application, we advice you to check that the error messages returned in these actions only contain static strings and are not derived from any kind of user input. If you are not sure whether your code is fine in that regard, feel free to ask on a public mailing list or the forum.

Solution: Update to Flow Versions 1.1.1 or 2.0.1 which fix the problem described!

Note: The same problem applies to the Extbase Framework in TYPO3. Read the according advisory TYPO3-CORE-SA-2013-004 for more information.