CVE-2025-10316 - Vulnerability Details - OpenCVE

The extension "Form to Database" is susceptible to Cross-Site Scripting. This issue affects the following versions: before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, from 5.0.0 before 5.0.2.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Typo3	Typo3

No data.

No data.

References

Link	Providers
https://typo3.org/security/advisory/typo3-ext-sa-2025-012

History

Wed, 17 Sep 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Typo3 Typo3 typo3
Vendors & Products		Typo3 Typo3 typo3

Tue, 16 Sep 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 16 Sep 2025 09:15:00 +0000

Type	Values Removed	Values Added
Description		The extension "Form to Database" is susceptible to Cross-Site Scripting. This issue affects the following versions: before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, from 5.0.0 before 5.0.2.
Title		Cross-Site Scripting in extension "Form to Database" (form_to_database)
Weaknesses		CWE-79
References		https://typo3.org/security/advisory/typo3-ext-sa-2025-012
Metrics		cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: TYPO3

Published: 2025-09-16T09:09:33.130Z

Updated: 2025-09-16T19:25:11.383Z

Reserved: 2025-09-12T06:42:30.873Z

Link: CVE-2025-10316

Vulnrichment

Updated: 2025-09-16T19:25:08.180Z

NVD

Status : Awaiting Analysis

Published: 2025-09-16T09:15:46.110

Modified: 2025-09-16T12:49:16.060

Link: CVE-2025-10316

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10316", "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "state": "PUBLISHED", "assignerShortName": "TYPO3", "dateReserved": "2025-09-12T06:42:30.873Z", "datePublished": "2025-09-16T09:09:33.130Z", "dateUpdated": "2025-09-16T19:25:11.383Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://packagist.org/", "defaultStatus": "unaffected", "packageName": "lavitto/typo3-form-to-database", "product": "Extension \"Form to Database\" (form_to_database)", "repo": "https://gitlab.com/lavitto/typo3-form-to-database", "vendor": "TYPO3", "versions": [{"lessThan": "2.2.5", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "3.2.2", "status": "affected", "version": "3.0.0", "versionType": "semver"}, {"lessThan": "4.2.3", "status": "affected", "version": "4.0.0", "versionType": "semver"}, {"lessThan": "5.0.2", "status": "affected", "version": "5.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Sascha Egerer"}], "datePublic": "2025-09-16T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The extension \"Form to Database\" is s<span style=\"background-color: transparent;\">usceptible to Cross-Site Scripting. </span>This issue affects the following versions: before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, from 5.0.0 before 5.0.2."}], "value": "The extension \"Form to Database\" is susceptible to Cross-Site Scripting.\u00a0This issue affects the following versions: before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, from 5.0.0 before 5.0.2."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.3, "baseSeverity": "LOW", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "shortName": "TYPO3", "dateUpdated": "2025-09-16T09:09:33.130Z"}, "references": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-012"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-Site Scripting in extension \"Form to Database\" (form_to_database)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-16T19:25:04.748116Z", "id": "CVE-2025-10316", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-16T19:25:11.383Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10316", "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "state": "PUBLISHED", "assignerShortName": "TYPO3", "dateReserved": "2025-09-12T06:42:30.873Z", "datePublished": "2025-09-16T09:09:33.130Z", "dateUpdated": "2025-09-16T19:25:11.383Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://packagist.org/", "defaultStatus": "unaffected", "packageName": "lavitto/typo3-form-to-database", "product": "Extension \"Form to Database\" (form_to_database)", "repo": "https://gitlab.com/lavitto/typo3-form-to-database", "vendor": "TYPO3", "versions": [{"lessThan": "2.2.5", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "3.2.2", "status": "affected", "version": "3.0.0", "versionType": "semver"}, {"lessThan": "4.2.3", "status": "affected", "version": "4.0.0", "versionType": "semver"}, {"lessThan": "5.0.2", "status": "affected", "version": "5.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Sascha Egerer"}], "datePublic": "2025-09-16T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The extension \"Form to Database\" is s<span style=\"background-color: transparent;\">usceptible to Cross-Site Scripting. </span>This issue affects the following versions: before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, from 5.0.0 before 5.0.2."}], "value": "The extension \"Form to Database\" is susceptible to Cross-Site Scripting.\u00a0This issue affects the following versions: before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, from 5.0.0 before 5.0.2."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.3, "baseSeverity": "LOW", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "shortName": "TYPO3", "dateUpdated": "2025-09-16T09:09:33.130Z"}, "references": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-012"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-Site Scripting in extension \"Form to Database\" (form_to_database)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10316", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-16T19:25:04.748116Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-16T19:25:08.180Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The extension \"Form to Database\" is susceptible to Cross-Site Scripting.\u00a0This issue affects the following versions: before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, from 5.0.0 before 5.0.2."}], "id": "CVE-2025-10316", "lastModified": "2025-09-16T12:49:16.060", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "type": "Secondary"}]}, "published": "2025-09-16T09:15:46.110", "references": [{"source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-012"}], "sourceIdentifier": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "type": "Secondary"}]}