Skip to content

Cross-Site Scripting in Content Preview (descriptionColumn)

Moderate
ohader published GHSA-fjh3-g8gq-9q92 Mar 16, 2021

Package

composer typo3/cms-backend (Composer)

Affected versions

10.0.0-10.4.1, 11.0.0-11.1.0

Patched versions

10.4.14, 11.1.1

Description

Meta

  • CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (5.0)
  • CWE-79
  • Status: DRAFT

Problem

It has been discovered that database fields used as descriptionColumn are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 10.4.14, 11.1.1 that fix the problem described.

Credits

Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.

References

Severity

Moderate

CVE ID

CVE-2021-21340

Weaknesses

Credits