TYPO3-PSA-2019-005: Cross-Site Scripting in Bootstrap CSS toolkit before 3.4.1 and 4.3.0

Christof-Ruthof-Weg, 14 55252 Mainz-Kastel Deutschland · Developer

			 	Release Date: May 7, 2019
 	Component Type: Bootstrap CSS toolkit (bundled in TYPO3 core package, ext:core)
 	Impact: Cross-Site Scripting, Known Vulnerability
 	Affected Versions: all Bootstrap versions before 3.4.1, 4.3.0
 	CVE: CVE-2019-8331

Problem Description
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, cross-site scripting is possible in the tooltip or popover data-template attribute.
Solution
An official fix has been released with Bootstrap versions 3.4.1 and 4.3.1, see blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ for details.
Update to TYPO3 versions 8.7.25 or 9.5.6 that fix the problem described. 
Extension authors bundling Bootstrap versions with their source code are advised to upgrade or patch those vulnerable versions accordingly.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

TYPO3-PSA-2019-005: Cross-Site Scripting in Bootstrap CSS toolkit before 3.4.1 and 4.3.0

Problem Description

Solution

General Advice

Kontakt

typo3 Software Entwickler

Thomas Ruta

Professionelle Dienstleistungen

100% kostenlose Open-Source-Software