Skip to content

Cross-Site Scripting in Content Preview

Moderate severity GitHub Reviewed Published Mar 16, 2021 in TYPO3/typo3 • Updated Feb 2, 2024

Package

composer typo3/cms (Composer)

Affected versions

>= 10.0.0, < 10.4.14
>= 11.0.0, < 11.1.1

Patched versions

10.4.14
11.1.1
composer typo3/cms-backend (Composer)
>= 10.0.0, <= 10.4.13
>= 11.0.0, <= 11.1.0
10.4.14
11.1.1
composer typo3/cms-core (Composer)
>= 10.0.0, < 10.4.14
>= 11.0.0, < 11.1.1
10.4.14
11.1.1

Description

Problem

It has been discovered that database fields used as descriptionColumn are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 10.4.14, 11.1.1 that fix the problem described.

Credits

Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.

References

References

@ohader ohader published to TYPO3/typo3 Mar 16, 2021
Reviewed Mar 23, 2021
Published to the GitHub Advisory Database Mar 23, 2021
Published by the National Vulnerability Database Mar 23, 2021
Last updated Feb 2, 2024

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2021-21340

GHSA ID

GHSA-fjh3-g8gq-9q92

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.