CVE-2020-15516

Vulnerability

The TYPO3 extension mm_forum through version 1.9.5 fails to properly encode user input for output in HTML context, leading to a stored or reflected XSS vulnerability. The extension also lacks CSRF protection in the "update profile" plugin, enabling an attacker to combine both weaknesses. [2]

Exploitation

An attacker can craft a malicious request to the forum's profile update function, which, when triggered by an authenticated administrator or user, executes arbitrary JavaScript in the victim's browser due to the unsanitized user input. No special network position is required beyond standard web access; the attack relies on user interaction (e.g., clicking a crafted link or visiting a malicious page while authenticated). [2]

Impact

Successful exploitation leads to partial compromise of confidentiality and integrity: the attacker can perform actions on behalf of the victim (e.g., modify profile settings, inject forum content) or steal session tokens, potentially leading to further account takeover within the TYPO3 backend context. [2]

Mitigation

No fix is available as the extension is outdated and unmaintained. The vendor (TYPO3 Security Team) recommends uninstalling and deleting the extension folder from the TYPO3 installation and seeking alternative extensions from the TYPO3 Extension Repository. [2]