CVE-2021-32667

Published: Jul 20, 2021Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue.

Affected (3)

Products: Typo3: Typo3

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Typo3 Typo3	From 10.0.0 to 10.4.17
Typo3 Typo3	From 11.0.0 to 11.3.0
Typo3 Typo3	From 9.0.0 to 9.5.287

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-8mq9-fqv8-59wf

Source: security-advisories@github.com

Third Party Advisory

https://typo3.org/security/advisory/typo3-core-sa-2021-009

Source: security-advisories@github.com

Vendor Advisory

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-8mq9-fqv8-59wf

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://typo3.org/security/advisory/typo3-core-sa-2021-009

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.