GHSA-g7hw-jh4p-75wr: 
PHP vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in TYPO3 CMS's Filelist Module, affecting versions 8.0.0-8.7.29, 9.0.0-9.5.11, and 10.0.0-10.2.0. The vulnerability was disclosed on December 17, 2019, and identified as TYPO3-CORE-SA-2019-023. The issue affects the file listing functionality in the TYPO3 backend module (TYPO3 Advisory).

The vulnerability occurs in the output table listing of the 'Files' backend module when a file extension contains malicious sequences. The issue arose because FAL (File Abstraction Layer) filters invalid characters from file names stored by its API, but this sanitization was ineffective when files were placed through methods like FTP uploads that don't trigger FAL. The fix involved adding a missing htmlspecialchars call when rendering file extensions (GitHub Commit). The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Moderate severity) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (GitHub Advisory).

The vulnerability could allow attackers to execute cross-site scripting attacks through maliciously crafted file extensions. However, the impact is limited as it requires access to the file system of the server, either directly or through synchronization, to exploit the vulnerability (TYPO3 Advisory).

The vulnerability has been patched in TYPO3 versions 8.7.30, 9.5.12, and 10.2.1. Users are advised to update to these patched versions to resolve the security issue. The fix implements proper HTML encoding of file extensions using htmlspecialchars when rendering file extensions in the backend module (TYPO3 Advisory).