CVE-2018-6905
Description
TYPO3 page module before 8.7.11 and 9.1.0 has stored XSS via the site name configuration, allowing admin-level persistent script injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 page module before 8.7.11 and 9.1.0 has stored XSS via the site name configuration, allowing admin-level persistent script injection.
Vulnerability
The page module in TYPO3 versions before 8.7.11 and 9.1.0 contains a persistent cross-site scripting (XSS) vulnerability via the $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] configuration value. The site name is output without proper HTML encoding in the page module template, specifically where ` tag content is generated. An administrator with access to the installation configuration or the TYPO3 backend can set a crafted site name containing malicious JavaScript [1][2]. The fix applied in commit d2c0ea7 uses htmlspecialchars()` to encode the site name before output [4].
Exploitation
An attacker who has administrative access to the TYPO3 backend (typically during or after installation) can change the site name to include JavaScript payloads, such as `` [2]. No additional authentication or user interaction is required beyond the admin setting the crafted name; the XSS triggers for any user who views the page module in the backend, as the unescaped string is rendered directly [1][2].
Impact
Successful exploitation results in stored XSS within the TYPO3 backend page module. An attacker can execute arbitrary JavaScript in the context of any backend user viewing the affected page, potentially leading to session hijacking, defacement, or theft of sensitive information [1][2]. The attack is persistent once the malicious site name is saved.
Mitigation
TYPO3 versions 8.7.11 and 9.1.0 include the fix that properly HTML-encodes the site name using htmlspecialchars() [4]. Users should upgrade to these or later versions immediately. If upgrading is not possible, administrators should avoid setting untrusted site names and review any existing site name for suspicious content. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cmsPackagist | < 9.2.0 | 9.2.0 |
Affected products
1Patches
1d2c0ea7db3b3[BUGFIX] Properly HTML encode site name in page module
1 file changed · +1 −1
typo3/sysext/backend/Classes/Controller/PageLayoutController.php+1 −1 modified@@ -784,7 +784,7 @@ function deleteRecord(table,id,url) { // 'mainJsFunctions', 'if (top.fsMod) top.fsMod.recentIds["web"] = ' . (int)$this->id . ';' ); - $content .= '<h1>' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] . '</h1>'; + $content .= '<h1>' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename']) . '</h1>'; $view = GeneralUtility::makeInstance(StandaloneView::class); $view->setTemplatePathAndFilename(GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Private/Templates/InfoBox.html')); $view->assignMultiple([
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3w22-wrwx-2r75ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-6905ghsaADVISORY
- www.securitytracker.com/id/1040755ghsavdb-entryx_refsource_SECTRACKWEB
- forge.typo3.org/issues/84191ghsax_refsource_MISCWEB
- github.com/TYPO3/typo3/commit/d2c0ea7db3b31a796a82f9d39f77f9983beb7c35ghsaWEB
News mentions
0No linked articles in our index yet.