CVE-2008-2718
Description
Cross-site scripting (XSS) vulnerability in fe_adminlib.inc in TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, as used in extensions such as (1) direct_mail_subscription, (2) feuser_admin, and (3) kb_md5fepw, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS in TYPO3 fe_adminlib.inc allows remote attackers to inject arbitrary web script or HTML, affecting versions 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the fe_adminlib.inc library of TYPO3, which is used by extensions such as direct_mail_subscription, feuser_admin, and kb_md5fepw. The flaw allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Affected versions are TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1 [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to a TYPO3 instance that uses the vulnerable fe_adminlib.inc library. No authentication is required, and the attack can be performed remotely. The exact input vectors are not disclosed in the available references, but the XSS is triggered when the library processes user-supplied data without proper sanitization [1].
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser. This can lead to session hijacking, defacement, credential theft, or other malicious actions performed under the victim's identity and privileges within the TYPO3 frontend.
Mitigation
The vulnerability is fixed in TYPO3 versions 4.0.9, 4.1.7, and 4.2.1. Users should upgrade to these or later versions. No workarounds are documented in the available references [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
18cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*+ 17 more
- cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.2:*:*:*:*:*:*:*
- (no CPE)range: <=4.0.8, <=4.1.6, <=4.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- secunia.com/advisories/30619nvdVendor Advisory
- secunia.com/advisories/30660nvdVendor Advisory
- securityreason.com/securityalert/3945nvd
- typo3.org/teams/security/security-bulletins/typo3-20080611-1/nvd
- www.debian.org/security/2008/dsa-1596nvd
- www.securityfocus.com/archive/1/493270/100/0/threadednvd
- www.securityfocus.com/bid/29657nvd
- www.vupen.com/english/advisories/2008/1802nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/42986nvd
News mentions
0No linked articles in our index yet.