-
The `receiverName` variable used in the password recovery mail of the Extbase felogin plugin was susceptible to HTML injection due to missing sanitization. The variable is now passed thru the `f:format.htmlspecialchars` ViewHelper. Resolves: #96559 Releases: main, 11.5, 10.4 Change-Id: I60e23c161f7f2fcc87b8870345b10a4c31d7b8db Security-Bulletin: TYPO3-CORE-SA-2022-004 Security-References: CVE-2022-31049 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74904 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
The `receiverName` variable used in the password recovery mail of the Extbase felogin plugin was susceptible to HTML injection due to missing sanitization. The variable is now passed thru the `f:format.htmlspecialchars` ViewHelper. Resolves: #96559 Releases: main, 11.5, 10.4 Change-Id: I60e23c161f7f2fcc87b8870345b10a4c31d7b8db Security-Bulletin: TYPO3-CORE-SA-2022-004 Security-References: CVE-2022-31049 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74904 Tested-by:
Loading