Moderate severityNVD Advisory· Published Sep 13, 2022· Updated Apr 23, 2025

Stored Cross-Site Scripting via FileDumpController

CVE-2022-36107

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the FileDumpController (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account is needed to exploit this vulnerability. Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3's FileDumpController is vulnerable to stored cross-site scripting (XSS) when serving malicious files, requiring a valid backend user account for exploitation.

Vulnerability

The FileDumpController in TYPO3, used in both backend and frontend contexts, is susceptible to stored cross-site scripting (XSS). The component fails to properly sanitize or restrict the content of files it serves, allowing an attacker to inject malicious scripts into a file that, when displayed via the controller, executes in the victim's browser [1].

Exploitation

To exploit this vulnerability, an attacker must have a valid backend user account. They can upload a file containing JavaScript code. When another user (or the attacker themselves) accesses that file through the FileDumpController, the script runs in the context of the TYPO3 installation [1]. The fix implemented in commits [3] and [4] adds a hard-coded Content-Security-Policy (CSP) header to the response, which prevents the execution of inline scripts and other dangerous content.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, data theft, defacement, or further compromise of the TYPO3 instance [1].

Mitigation

TYPO3 has released patches for the following versions: 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32, and 11.5.16. There are no known workarounds; updating to a patched version is the only remedy [1].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-corePackagist	>= 7.0.0, < 7.6.58	7.6.58
typo3/cms-corePackagist	>= 8.0.0, < 8.7.48	8.7.48
typo3/cms-corePackagist	>= 9.0.0, < 9.5.37	9.5.37
typo3/cms-corePackagist	>= 10.0.0, < 10.4.32	10.4.32
typo3/cms-corePackagist	>= 11.0.0, < 11.5.16	11.5.16
typo3/cmsPackagist	>= 10.0.0, < 10.4.32	10.4.32
typo3/cmsPackagist	>= 11.0.0, < 11.5.16	11.5.16

Affected products

osv-coords3 versions
pkg:bitnami/typo3 pkg:composer/typo3/cms pkg:composer/typo3/cms-core
>= 7.0.0, < 7.6.57+ 2 more
- (no CPE)range: >= 7.0.0, < 7.6.57
- (no CPE)range: >= 10.0.0, < 10.4.32
- (no CPE)range: >= 7.0.0, < 7.6.58
TYPO3/Typo3v5
Range: >= 7.0.0, < 7.6.58

Patches

bd58d2ff2eee

[SECURITY] Mitigate cross-site-scripting in FileDumpController

https://github.com/TYPO3/typo3Oliver HaderSep 13, 2022via ghsa

commit

1 file changed · +22 −4

typo3/sysext/core/Classes/Controller/FileDumpController.php+22 −4 modified

@@ -29,8 +29,10 @@
 use TYPO3\CMS\Core\Resource\ProcessedFile;
 use TYPO3\CMS\Core\Resource\ProcessedFileRepository;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
+use TYPO3\CMS\Core\Resource\ResourceInterface;
 use TYPO3\CMS\Core\Resource\Security\FileNameValidator;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Core\Utility\PathUtility;
 
 /**
  * Class FileDumpController
@@ -77,7 +79,7 @@ public function dumpAction(ServerRequestInterface $request): ResponseInterface
         $event = new ModifyFileDumpEvent($file, $request);
         $event = $this->eventDispatcher->dispatch($event);
         if ($event->isPropagationStopped()) {
-            return $event->getResponse();
+            return $this->applyContentSecurityPolicy($event->getFile(), $event->getResponse());
         }
         $file = $event->getFile();
 
@@ -120,10 +122,13 @@ public function dumpAction(ServerRequestInterface $request): ResponseInterface
             $file = $file->process(ProcessedFile::CONTEXT_IMAGECROPSCALEMASK, $processingInstructions);
         }
 
-        return $file->getStorage()->streamFile(
+        return $this->applyContentSecurityPolicy(
             $file,
-            (bool)($parameters['dl'] ?? false),
-            $parameters['fn'] ?? null
+            $file->getStorage()->streamFile(
+                $file,
+                (bool)($parameters['dl'] ?? false),
+                $parameters['fn'] ?? null
+            )
         );
     }
 
@@ -230,4 +235,17 @@ protected function isFileValid(FileInterface $file): bool
             || GeneralUtility::makeInstance(FileNameValidator::class)
                 ->isValid(basename($file->getIdentifier()));
     }
+
+    /**
+     * Applies hard-coded content-security-policy (CSP) for file to be dumped.
+     */
+    protected function applyContentSecurityPolicy(ResourceInterface $file, ResponseInterface $response): ResponseInterface
+    {
+        $extension = PathUtility::pathinfo($file->getName(), PATHINFO_EXTENSION);
+        // same as in `typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess`
+        $policy = $extension === 'pdf' || $response->getHeaderLine('content-type') === 'application/pdf'
+            ? "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
+            : "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';";
+        return $response->withAddedHeader('content-security-policy', $policy);
+    }
 }

546208428c86

[SECURITY] Mitigate cross-site-scripting in FileDumpController

https://github.com/TYPO3/typo3Oliver HaderSep 13, 2022via ghsa

commit

1 file changed · +22 −4

typo3/sysext/core/Classes/Controller/FileDumpController.php+22 −4 modified

@@ -31,8 +31,10 @@
 use TYPO3\CMS\Core\Resource\ProcessedFile;
 use TYPO3\CMS\Core\Resource\ProcessedFileRepository;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
+use TYPO3\CMS\Core\Resource\ResourceInterface;
 use TYPO3\CMS\Core\Resource\Security\FileNameValidator;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Core\Utility\PathUtility;
 
 /**
  * Class FileDumpController
@@ -100,7 +102,7 @@ public function dumpAction(ServerRequestInterface $request): ResponseInterface
         $event = new ModifyFileDumpEvent($file, $request);
         $event = $this->eventDispatcher->dispatch($event);
         if ($event->isPropagationStopped()) {
-            return $event->getResponse();
+            return $this->applyContentSecurityPolicy($event->getFile(), $event->getResponse());
         }
         $file = $event->getFile();
 
@@ -143,10 +145,13 @@ public function dumpAction(ServerRequestInterface $request): ResponseInterface
             $file = $file->process(ProcessedFile::CONTEXT_IMAGECROPSCALEMASK, $processingInstructions);
         }
 
-        return $file->getStorage()->streamFile(
+        return $this->applyContentSecurityPolicy(
             $file,
-            (bool)($parameters['dl'] ?? false),
-            $parameters['fn'] ?? null
+            $file->getStorage()->streamFile(
+                $file,
+                (bool)($parameters['dl'] ?? false),
+                $parameters['fn'] ?? null
+            )
         );
     }
 
@@ -253,4 +258,17 @@ protected function isFileValid(FileInterface $file): bool
             || GeneralUtility::makeInstance(FileNameValidator::class)
                 ->isValid(basename($file->getIdentifier()));
     }
+
+    /**
+     * Applies hard-coded content-security-policy (CSP) for file to be dumped.
+     */
+    protected function applyContentSecurityPolicy(ResourceInterface $file, ResponseInterface $response): ResponseInterface
+    {
+        $extension = PathUtility::pathinfo($file->getName(), PATHINFO_EXTENSION);
+        // same as in `typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess`
+        $policy = $extension === 'pdf' || $response->getHeaderLine('content-type') === 'application/pdf'
+            ? "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
+            : "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';";
+        return $response->withAddedHeader('content-security-policy', $policy);
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9c6w-55cp-5w25ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-36107ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36107.yamlghsaWEB
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36107.yamlghsaWEB
github.com/TYPO3/typo3/commit/546208428c861a09d62b86cde141eb19a81fae66ghsaWEB
github.com/TYPO3/typo3/commit/bd58d2ff2eeef89e63ef754a2389597d22622a39ghsax_refsource_MISCWEB
github.com/TYPO3/typo3/security/advisories/GHSA-9c6w-55cp-5w25ghsax_refsource_CONFIRMWEB
typo3.org/security/advisory/typo3-core-sa-2022-009ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000