Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

TYPO3 is a free and open-source Content Management Framework released under the GNU General Public License. In affected packages, typo3/cms, typo3/cms-core and typo3/cms-frontend versions 8.7.x prior to 8.7.51, 9.0.x prior to 9.5.40, 10.0.x prior to 10.4.35, 11.0.x prior to 11.5.23, and 12.0.x prior to 12.2.0 the TYPO3 core component "GeneralUtility::getIndpEnv()" uses the unfiltered server environment variable "PATH_INFO", which allows attackers to inject malicious content. In combination with the TypoScript setting "config.absRefPrefix=auto", attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of "GeneralUtility::getIndpEnv('SCRIPT_NAME')" and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or "Apache/mod_php" are vulnerable. The usage of server environment variable "PATH_INFO" has been removed from corresponding processings in "GeneralUtility::getIndpEnv()". Besides that, the public property "TypoScriptFrontendController::$absRefPrefix" is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. For users who are unable to patch in a timely manner the TypoScript setting "config.absRefPrefix" should at least be set to a static path value, instead of using auto - e.g. "config.absRefPrefix=/". This workaround **does not fix all aspects of the vulnerability**, and is just considered to be intermediate mitigation to the most prominent manifestation.