CVE-2020-16095

Name of the Vulnerable Software and Affected Versions dlf (aka Kitodo.Presentation) versions prior to 3.1.2 dlf (aka Kitodo.Presentation) version 2.3.1 and earlier in the 2.x branch

Description The issue is related to Cross Site Scripting (XSS) due to the failure to properly encode URL parameters for output in HTML. Only sites using the ListView, Navigation, or PageView plugins are affected. The software also includes jQuery 3.4.1, which is known to be vulnerable to Cross Site Scripting, although there is currently no known way to exploit this in Kitodo.Presentation.

Recommendations For versions prior to 3.1.2, update to version 3.1.2 or later. For version 2.x branch, update to release 2.3.1, although it is generally not recommended to run this branch since it depends on an outdated TYPO3 version. As a temporary workaround, consider disabling the ListView, Navigation, or PageView plugins until a patch is available.