Search

Find a vulnerability

Search criteria

    1 vulnerability found for typo3 by typo3

    GCVE-1-2025-0041

    Vulnerability from gna-1 – Published: 2025-12-19 14:25 – Updated: 2025-12-19 14:54 Exclusively Hosted Service
    VLAI
    Title
    [online services] Reflected Cross-Site Scripting (XSS) / HTML Injection in Website Hosted in Luxembourg
    Summary
    The vulnerability, in a series (5) of online services in Luxembourg, occurs because a request parameter (e.g., a search or query parameter) is incorporated directly into the server-generated HTML response without proper escaping. As a result, specially crafted input containing HTML tags and attributes can be interpreted by the browser as active markup rather than plain text. An attacker can exploit this behavior by injecting HTML elements with JavaScript-capable event handlers. When the page is rendered and a user interacts with it (for example, through scrolling or other UI actions), the injected JavaScript executes within the security context of the vulnerable website. This is a reflected XSS issue, meaning the malicious payload is not stored server-side but is immediately reflected in the HTTP response to a single request. Successful exploitation requires a victim to follow a malicious link or otherwise load a request crafted by the attacker. Those vulnerabilities originated from a misconfiguration of the online service. **exclusively-hosted-service**
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Credits
    Mikel Hernández Alonso
    Relationships

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "typo3",
              "vendor": "typo3",
              "versions": [
                {
                  "status": "affected"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "wordpress",
              "vendor": "wordpress",
              "versions": [
                {
                  "status": "affected"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mikel Hern\u00e1ndez Alonso"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe vulnerability, in a series (5) of online services in Luxembourg, occurs because a request parameter (e.g., a search or query parameter) is incorporated directly into the server-generated HTML response without proper escaping. As a result, specially crafted input containing HTML tags and attributes can be interpreted by the browser as active markup rather than plain text.\u003c/p\u003e\n\u003cp\u003eAn attacker can exploit this behavior by injecting HTML elements with JavaScript-capable event handlers. When the page is rendered and a user interacts with it (for example, through scrolling or other UI actions), the injected JavaScript executes within the security context of the vulnerable website.\u003c/p\u003e\n\u003cp\u003eThis is a \u003cstrong\u003ereflected XSS\u003c/strong\u003e issue, meaning the malicious payload is not stored server-side but is immediately reflected in the HTTP response to a single request. Successful exploitation requires a victim to follow a malicious link or otherwise load a request crafted by the attacker.\u003c/p\u003e\u003cp\u003eThose vulnerabilities originated from a misconfiguration of the online service.\u003c/p\u003e**exclusively-hosted-service**"
                }
              ],
              "value": "The vulnerability, in a series (5) of online services in Luxembourg, occurs because a request parameter (e.g., a search or query parameter) is incorporated directly into the server-generated HTML response without proper escaping. As a result, specially crafted input containing HTML tags and attributes can be interpreted by the browser as active markup rather than plain text.\n\n\nAn attacker can exploit this behavior by injecting HTML elements with JavaScript-capable event handlers. When the page is rendered and a user interacts with it (for example, through scrolling or other UI actions), the injected JavaScript executes within the security context of the vulnerable website.\n\n\nThis is a reflected XSS issue, meaning the malicious payload is not stored server-side but is immediately reflected in the HTTP response to a single request. Successful exploitation requires a victim to follow a malicious link or otherwise load a request crafted by the attacker.\n\nThose vulnerabilities originated from a misconfiguration of the online service.\n\n**exclusively-hosted-service**"
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ctt\u003e\u003c/tt\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003ctt\u003eThe sample url is \u0026lt;SAMPLEURL\u0026gt;.lu/recherche/?recherche=%3Caddress+onscrollsnapchange%3Dwindow%5B%27ev%27%2B%27a%27%2B%28%5B%27l%27%2C%27b%27%2C%27c%27%5D%5B0%5D%29%5D%28window%5B%27a%27%2B%27to%27%2B%28%5B%27b%27%2C%27c%27%2C%27d%27%5D%5B0%5D%29%5D%28%27YWxlcnQob3JpZ2luKQ%3D%3D%27%29%29%3B+style%3Doverflow-y%3Ahidden%3Bscroll-snap-type%3Ax%3E%3Cdiv+style%3Dscroll-snap-align%3Acenter%3E1337%3C%2Fdiv%3E%3C%2Faddress%3E\u003cbr\u003e\u003c/tt\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "The sample url is \u003cSAMPLEURL\u003e.lu/recherche/?recherche=%3Caddress+onscrollsnapchange%3Dwindow%5B%27ev%27%2B%27a%27%2B%28%5B%27l%27%2C%27b%27%2C%27c%27%5D%5B0%5D%29%5D%28window%5B%27a%27%2B%27to%27%2B%28%5B%27b%27%2C%27c%27%2C%27d%27%5D%5B0%5D%29%5D%28%27YWxlcnQob3JpZ2luKQ%3D%3D%27%29%29%3B+style%3Doverflow-y%3Ahidden%3Bscroll-snap-type%3Ax%3E%3Cdiv+style%3Dscroll-snap-align%3Acenter%3E1337%3C%2Fdiv%3E%3C%2Faddress%3E"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-244",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-244 XSS Targeting URI Placeholders"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "exclusively-hosted-service"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-10-07T22:00:00.000Z",
              "value": "Initial reporting"
            }
          ],
          "title": "[online services] Reflected Cross-Site Scripting (XSS) / HTML Injection in Website Hosted in Luxembourg",
          "x_gcve": [
            {
              "recordType": "advisory",
              "vulnId": "gcve-1-2025-0041"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "datePublished": "2025-12-19T14:25:00.000Z",
        "dateUpdated": "2025-12-19T14:54:51.594645Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "gcve-1-2025-0041",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-19T14:25:11.812890Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-19T14:30:14.448194Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-19T14:30:45.864429Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-19T14:41:48.015387Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-19T14:42:18.937137Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-19T14:43:23.523252Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-19T14:50:30.687423Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-19T14:54:51.594645Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }