back to overview print

Stored cross-site scripting vulnerability in "[clickstorm] SEO" extension for TYPO3 allows attackers to run arbitrary JavaScript code in the browser of other users

Open Source

NTCF:
NTCF-2025-861

CVE:
CVE-2025-30081

Product:
cs_seo

Vendor:
clickstorm GmbH

Criticality:
medium

Status:
fixed

Discovered:
2025-02-06

Detail:
Public

Vulnerable version:
6.0.0 - 6.6.0, 7.0.0 - 7.3.3, 8.0.0 - 8.2.1, 9.0.0 - 9.1.0

Fixed version:
6.7.0, 7.4.0, 8.3.0, 9.2.0

Summary

"[clickstorm] SEO" is an extension for the TYPO3 enterprise Content Management System (CMS). It has been discovered that the following versions are susceptible to reflected cross-site scripting (XSS): 6.0.0-6.6.0, 7.0.0-7.3.3, 8.0.0-8.2.1, 9.0.0-9.1.0

Background

TYPO3 is a widely used open source enterprise CMS known for its extensibility and customizability. It allows organizations to build and manage complex websites while offering a range of extensions that enhance its functionality. Various authorities at the national, cantonal and municipality level use TYPO3 - often in contexts where confidentiality, availability and integrity are essential.

In a pilot project with the NCSC, the NTC evaluated the security of TYPO3 and its extensions to ensure the security of open source software used within the Swiss administration. Read more about the project here.

Vulnerability

The extension shows "flash messages", for certain events that also contain data from user inputs. The implementation for these can be found in Classes/Controller/AbstractModuleController.php. Before 1bf5af2fb57ef8250b9bbec39d704ef05e6db4d4 the message content was not encoded properly, which allowed attackers to smuggle html tags into the message. Shown below is the relevant code snippet:

foreach ($messageQueue->getAllMessages() as $flashMessage) {
  $method = $flashMessage->getSeverity()->getCssClass();
  $messages[] =
    'top.TYPO3.Notification.' . $method . 
    '("' . $flashMessage->getTitle() . '", 
    "' . $flashMessage->getMessage() . '", 
    ' . static::$flashMessageDurationInSeconds . ');';
}

The content of the third parameter allows user inputs from the URL parameter data[sys_file_metadata][12][alternative].

Proof of Concept

After uploading an image in the file list, to ensure the uid=1 lookup works, this reflected XSS can be triggered using the data[sys_file_metadata][12][alternative] URL parameter like so:

https://[TYPO3-URL]/typo3/module/file/cs-seo/ModuleFile/update?id=1%3A%2Fns_theme_freelancer%2F&offset=0&uid=1&data%5Bsys_file_metadata%5D%5B12%5D%5Balternative%5D= %3C%2Fscript%3E%3Cimg+src%3Dx+onerror%3Ddebugger%3E&data%5Bsys_file_metadata%5D%5B12%5D%5Btitle%5D=&data%5Bsys_file_metadata%5D%5B12%5D%5Bdescription%5D=rehrher.

The payload, which decodes to </script><img src=x onerror=debugger>, successfully triggers XSS by breaking out of the page's script context. The initial </script> tag closes the legitimate script block, allowing the subsequent tag to be parsed as HTML and executed by the browser.

XSS triggers in clickstorm SEO extension for TYPO3

Note: The NTC did not look further into the fact that the message payload gets moved into the body part of the HTML, as it has no impact on the exploitability of the vulnerability.

Remediation

This vulnerability was reported to the TYPO3 security team and fixed by the extension maintainers in 46e15a22d52da227b110bf6e95c2bcbb2fe4f55f. This patch introduces encoding within the template.

Patches

This issue has been fixed in version the versions 6.7.0, 7.4.0, 8.3.0 and 9.2.0. It is recommended that all users of clickstorm/cs-seo update to the latest version.

Workarounds

Additionally, it is recommended to enable the Content Security Policy (CSP) for the TYPO3 backend user interface, which prevents the execution of this XSS vulnerability.
In TYPO3 13.4, this security feature is enabled by default.

References

2025-02-06: initial discovery

2025-02-21: private disclosure to vendor

2025-03-18: fix by vendor

2025-10-13: public disclosure