zum Inhalt springen
back to overview print

Stored cross-site scripting vulnerability in "Backup Plus" extension for TYPO3 allows attackers to run arbitrary JavaScript code in the browser of other users

Open Source

NTCF:
NTCF-2025-2847

CVE:
CVE-2025-48206

Product:
ns_backup

Vendor:
T3Planet

Criticality:
medium

Status:
fixed

Discovered:
2025-02-06

Detail:
Public

Vulnerable version:
<= 13.0.0

Fixed version:
13.0.1

Summary

"Backup Plus" is an extension for the TYPO3 enterprise Content Management System (CMS). It has been discovered that the versions below 13.0.1 are susceptible to cross-site scripting (XSS).

Background

TYPO3 is a widely used open source enterprise CMS known for its extensibility and customizability. It allows organizations to build and manage complex websites while offering a range of extensions that enhance its functionality. Various authorities at the national, cantonal and municipality level use TYPO3 - often in contexts where confidentiality, availability and integrity are essential. 

In a pilot project with the NCSC, the NTC evaluated the security of TYPO3 and its extensions to ensure the security of open source software used within the Swiss administration. Read more about the project here.

Vulnerability

The backup name can be used to produce an XSS exploit in the backup history page.

The snippet below shows part of the code in Resources/Private/Templates/Backups/Backuprestore.html as of 8143d35c0492d6e4764b64099e9cdd3c2ac5b893, which is before the vulnerability was fixed:

<div style="display: none;" id="logDiv_{backup.uid}">

    <f:format.raw>{backup.logs}</f:format.raw>
</div>

The highlighted lines show that the logs, which contain the backup name, are rendered without sanitization.

The final rendered page is not vulnerable to XSS, however during the construction of the page, the log content is processed in a way that triggers an XSS payload.

Proof of Concept

Having admin privileges, the XSS can be triggered by creating a backup with the following name: <script src=data:text/javascript,console.log(document.currentScript);debugger></script>

If one navigates to the "Backup History" page afterwards, the XSS payload gets executed during the rendering of the page.

Showcase for an XSS vulnerability in ns_backup extension for TYPO3
Note: The payload is not present in the final HTML page. Only the processing while the page is rendered seems to cause this XSS vulnerability.

Remediation

This vulnerability was reported to the TYPO3 security team and fixed by the extension maintainers in 67b8102a19e8e516dc4228f5c42f9e4fba5046cb.  This patch introduces encoding within the template as well as validation for the backup name.

Patches

This issue has been fixed in version 13.0.1. It is recommended that all users of nitsan/ns-backup update to the latest version.

Timeline

2025-02-06: initial discovery

2025-02-21: private disclosure to vendor

2025-05-20: fix by vendor

2025-10-13: public disclosure