Platform
php
Component
typo3-appointments
Fixed in
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
CVE-2019-25094 describes a problematic cross-site scripting (XSS) vulnerability discovered in the innologi appointments Extension for TYPO3. This flaw allows attackers to inject malicious scripts through the manipulation of formfield arguments, potentially compromising user sessions and data integrity. The vulnerability affects versions 2.0.0 through 2.0.5 of the extension, and a fix is available in version 2.0.6.
Successful exploitation of CVE-2019-25094 allows an attacker to inject arbitrary JavaScript code into the TYPO3 Appointments Extension. This code can then be executed in the context of a user's browser, potentially leading to session hijacking, credential theft, or defacement of the website. The attacker could also redirect users to malicious websites or install malware. Given the widespread use of TYPO3 and its extensions, this vulnerability could have a significant impact if exploited on a large scale. The ability to manipulate formfield arguments remotely makes this vulnerability particularly concerning.
CVE-2019-25094 was publicly disclosed on January 4, 2023. While no active exploitation campaigns have been definitively linked to this specific CVE, XSS vulnerabilities are frequently targeted by attackers. There are no known public proof-of-concept exploits readily available. The vulnerability has been assigned the identifier VDB-217353. Its CVSS score is LOW, indicating a relatively limited impact, but the potential for exploitation remains.
Exploit Status
EPSS
0.25% (48% percentile)
CVSS Vector
The primary mitigation for CVE-2019-25094 is to upgrade the appointments Extension to version 2.0.6 or later. This version includes a patch (identifier: 986d3cb34e5e086c6f04e061f600ffc5837abe7f) that addresses the vulnerability. If immediate upgrading is not possible, consider implementing input validation and sanitization on the Appointment Handler to prevent the injection of malicious scripts. While a Web Application Firewall (WAF) might offer some protection, it's not a substitute for patching. After upgrading, verify the fix by attempting to submit a form with a crafted payload containing a JavaScript snippet; the payload should be properly sanitized and not executed.
Actualice la extensión appointments a la versión 2.0.6 o superior. Esta versión contiene una corrección para la vulnerabilidad de cross-site scripting (XSS). La actualización se puede realizar a través del administrador de extensiones de TYPO3.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25094 is a cross-site scripting (XSS) vulnerability affecting TYPO3 Appointments Extension versions 2.0.0–2.0.5, allowing attackers to inject malicious scripts via formfield manipulation.
You are affected if you are using TYPO3 Appointments Extension versions 2.0.0 through 2.0.5. Upgrade to 2.0.6 to mitigate the risk.
Upgrade the appointments Extension to version 2.0.6 or later. Apply input validation and sanitization as a temporary workaround if upgrading is not immediately possible.
While no active campaigns are definitively linked, XSS vulnerabilities are frequently targeted. Exercise caution and apply the patch promptly.
Refer to the TYPO3 security advisory for detailed information and updates: [https://typo3.org/security/advisory/typo3-extensions-sa-2019-008/](https://typo3.org/security/advisory/typo3-extensions-sa-2019-008/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.