VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 14, 2022· Updated Apr 23, 2025

Cross-Site Scripting in Frontend Login Mailer

CVE-2022-31049

Description

TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, user submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 CMS fails to encode user-submitted content in HTML emails, enabling XSS attacks via mail clients.

Vulnerability

In TYPO3 CMS versions prior to 9.5.34 ELTS, 10.4.29, and 11.5.11, user-submitted content is incorporated into HTML-formatted emails without proper encoding. This allows malicious input to be interpreted as active HTML or JavaScript when the email is rendered in a mail client. The affected component is the mail template rendering logic that builds notification or confirmation emails using unescaped user data [1][2].

Exploitation

An attacker needs the ability to submit content that will later be included in an HTML email sent to another user (e.g., via a comment, form submission, or profile field). No special network position or authentication level is required beyond the privileges needed to provide that content. The attack is triggered when the victim reads the email using an HTML-capable mail client; no user interaction beyond opening the message is necessary [1].

Impact

Successful exploitation leads to cross-site scripting (XSS) within the context of the recipient's email client. The attacker may execute arbitrary JavaScript, steal session tokens, redirect to phishing pages, or perform other actions limited by the mail client's security model. The impact is primarily on the confidentiality and integrity of the victim's session and data [1].

Mitigation

TYPO3 CMS versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix that properly encodes user-submitted content before inclusion in HTML emails. All sites should upgrade to one of these patched releases immediately. No workarounds are documented; configuring mail clients to render emails as plain text can reduce risk but is not a complete mitigation [1][2].

References
  1. NVD - CVE-2022-31049
  2. security-advisories/typo3/cms-core/CVE-2022-31049.yaml at master · FriendsOfPHP/security-advisories

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/cms-corePackagist
>= 9.0.0, < 9.5.359.5.35
typo3/cms-corePackagist
>= 10.0.0, < 10.4.2910.4.29
typo3/cms-corePackagist
>= 11.0.0, < 11.5.1111.5.11
typo3/cmsPackagist
>= 10.0.0, < 10.4.2910.4.29
typo3/cmsPackagist
>= 11.0.0, < 11.5.1111.5.11

Affected products

4

Patches

1
da611775f921

[SECURITY] Avoid HTML injection in password recovery mail

https://github.com/TYPO3/typo3Andreas FernandezJun 14, 2022via ghsa
commit
1 file changed · +1 1
  • typo3/sysext/felogin/Resources/Private/Email/Templates/PasswordRecovery.html+1 1 modified
    @@ -9,7 +9,7 @@
         {f:translate(
         key: 'forgot_validate_reset_password_html',
         extensionName: 'felogin',
-        arguments: '{ 0: receiverName, 1: recoveryLink, 2: validUntil }'
+        arguments: '{ 0: "{receiverName -> f:format.htmlspecialchars()}", 1: recoveryLink, 2: validUntil }'
         ) -> f:format.html()}
     </f:spaceless>
 </f:section>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.