Listen to this Post
The vulnerability exists within the “Form to Database” (formtodatabase) extension for TYPO3 CMS. It is a reflected Cross-Site Scripting (XSS) flaw caused by improper neutralization of user input in the `$_GET` parameter tx_formtodatabase_list[bash][keyword]. This parameter’s value is not sufficiently sanitized before being output within the HTML response of the backend module. An attacker can craft a malicious URL containing a script payload in this parameter. If an authenticated backend user with sufficient privileges is tricked into clicking the link, the arbitrary JavaScript will execute within their browser session, potentially allowing session hijacking or administrative actions.
Platform: TYPO3 Extension
Version: <2.2.5, <3.2.2, <4.2.3, <5.0.2
Vulnerability: XSS
Severity: Low
date: 2025-09-16
Prediction: Patch: 2025-09-18
What Undercode Say:
`curl -s “https://example.com/typo3/module/FormToDatabase/List?tx_formtodatabase_list[bash][keyword]=“`
`grep -r “search\[keyword\]” typo3conf/ext/formtodatabase/`
How Exploit:
Crafted malicious URL.
Protection from this CVE:
Update extension.
Impact:
Backend XSS.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

