CVE-2021-21370

Published: Mar 23, 2021Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.

Affected (5)

Products: Typo3: Typo3

1 product

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Typo3 Typo3	From 10.0.0 to 10.4.14
Typo3 Typo3	From 11.0.0 to 11.1.1
Typo3 Typo3	From 7.0.0 to 7.6.51
Typo3 Typo3	From 8.0.0 to 8.7.40
Typo3 Typo3	From 9.0.0 to 9.5.25

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh

Source: security-advisories@github.com

Third Party Advisory

https://packagist.org/packages/typo3/cms-backend

Source: security-advisories@github.com

Release NotesThird Party Advisory

https://typo3.org/security/advisory/typo3-core-sa-2021-008

Source: security-advisories@github.com

Vendor Advisory

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://packagist.org/packages/typo3/cms-backend

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://typo3.org/security/advisory/typo3-core-sa-2021-008

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.