CVE-2018-6905

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 8.7.11 TYPO3 version 9.1.0

Description The issue concerns a problem where an admin can enter a crafted site name during the installation process, leading to XSS via $GLOBALS['TYPO3 CONF VARS']['SYS']['sitename']. This occurs in the page module of the software.

Recommendations For TYPO3 versions prior to 8.7.11, update to version 8.7.11 or later to resolve the issue. For TYPO3 version 9.1.0, consider disabling the use of the $GLOBALS['TYPO3 CONF VARS']['SYS']['sitename'] variable until a patch is available. As a temporary workaround, restrict access to the page module to minimize the risk of exploitation.