CVE-2021-21340

Description

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1 .

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

TYPO3 / TYPO3.CMS>= 10.0.0, <= 10.4.13 – >= 10.0.0, <= 10.4.13
TYPO3 / TYPO3.CMS>= 11.0.0, <= 11.1.0 – >= 11.0.0, <= 11.1.0

References

VENDOR_ADVISORYhttps://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-fjh3-g8gq-9q92
MISChttps://packagist.org/packages/typo3/cms-backend
MISChttps://typo3.org/security/advisory/typo3-core-sa-2021-007