VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 14, 2022· Updated Apr 23, 2025

Cross-Site Scripting in Form Framework

CVE-2022-31048

Description

TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. TYPO3 versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 Form Designer is vulnerable to stored cross-site scripting (XSS) via the backend module, requiring a valid backend user with form access.

Vulnerability

Overview

CVE-2022-31048 is a cross-site scripting (XSS) vulnerability affecting the Form Designer backend module of TYPO3, an open source content management system. The issue exists due to insufficient sanitization of user input within the Form Framework's backend interface. As a result, an attacker could inject malicious scripts that are then stored and executed in the context of other backend users who view the crafted form definition [1].

Exploitation

Prerequisites

Exploitation requires an authenticated backend user account that has been granted access to the Form module. This means the attacker must have valid credentials with specific permissions to create or edit forms. The XSS payload can be inserted into form fields or configuration settings that are later rendered in the Form Designer interface without proper escaping [1][3]. The attack vector is the backend, not the frontend, so it targets administrative users.

Impact

If successfully exploited, the attacker can execute arbitrary JavaScript in the browser of any backend user who opens the compromised form within the Form Designer. This could lead to session hijacking, defacement of the backend interface, or theft of sensitive data displayed in the administrative area. Since the attack is stored (persistent), the payload remains present each time the form is accessed until removed [1][2].

Mitigation and

Remediation

The vulnerability has been patched in TYPO3 versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11. Administrators are strongly advised to upgrade their TYPO3 installations to one of these fixed versions immediately. There are no known workarounds documented; updating is the only confirmed mitigation. Given that the attack requires backend access, limiting the number of users with Form Designer permissions also reduces the risk surface [1][4].

References
  1. NVD - CVE-2022-31048
  2. GitHub - TYPO3-CMS/core: [READ-ONLY] Subtree split of the TYPO3 Core Extension "core"
  3. security-advisories/typo3/cms-core/CVE-2022-31048.yaml at master · FriendsOfPHP/security-advisories
  4. security-advisories/typo3/cms/CVE-2022-31048.yaml at master · FriendsOfPHP/security-advisories

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/cms-corePackagist
>= 8.0.0, < 8.7.478.7.47
typo3/cms-corePackagist
>= 9.0.0, < 9.5.359.5.35
typo3/cms-corePackagist
>= 10.0.0, < 10.4.2910.4.29
typo3/cms-corePackagist
>= 11.0.0, < 11.5.1111.5.11
typo3/cmsPackagist
>= 10.0.0, < 10.4.2910.4.29
typo3/cmsPackagist
>= 11.0.0, < 11.5.1111.5.11

Affected products

4

Patches

1
6f2554dc4ea0

[SECURITY] Ensure text preview of multivalue items in form editor

https://github.com/TYPO3/typo3Gabe TroyanJun 14, 2022via ghsa
commit
1 file changed · +6 6
  • typo3/sysext/form/Resources/Public/JavaScript/backend/form-editor/stage-component.js+6 6 modified
    @@ -513,10 +513,10 @@ function factory($, Helper, Icons) {
      */
     function setStageHeadline(title) {
       if (getUtility().isUndefinedOrNull(title)) {
-        title = buildTitleByFormElement();
+        title = buildTitleByFormElement().text();
       }
 
-      $(getHelper().getDomElementDataIdentifierSelector('stageHeadline')).html(title);
+      $(getHelper().getDomElementDataIdentifierSelector('stageHeadline')).text(title);
     };
 
     /**
@@ -981,10 +981,10 @@ function factory($, Helper, Icons) {
 
       getHelper()
         .getTemplatePropertyDomElement('_type', template)
-        .append(getFormElementDefinition(formElement, 'label'));
+        .append(document.createTextNode(getFormElementDefinition(formElement, 'label')));
       getHelper()
         .getTemplatePropertyDomElement('_identifier', template)
-        .append(formElement.get('identifier'));
+        .append(document.createTextNode(formElement.get('identifier')));
     };
 
     /**
@@ -1029,7 +1029,7 @@ function factory($, Helper, Icons) {
 
             getHelper()
               .getTemplatePropertyDomElement('_label', rowTemplate)
-              .append(collectionElementConfiguration['label']);
+              .append(document.createTextNode(collectionElementConfiguration['label']));
             $(getHelper().getDomElementDataIdentifierSelector('validatorsContainer'), $(template))
               .append(rowTemplate.html());
           }
@@ -1089,7 +1089,7 @@ function factory($, Helper, Icons) {
           }
         }
 
-        getHelper().getTemplatePropertyDomElement('_label', rowTemplate).append(label);
+        getHelper().getTemplatePropertyDomElement('_label', rowTemplate).append(document.createTextNode(label));
 
         if (isPreselected) {
           getHelper().getTemplatePropertyDomElement('_label', rowTemplate).addClass(

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.