Vulnerability Description
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1 .
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Typo3 | Typo3 | >= 10.0.0, < 10.4.14 |
Related Weaknesses (CWE)
References
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-fjh3-g8gq-9q92Third Party Advisory
- https://packagist.org/packages/typo3/cms-backendRelease NotesThird Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2021-007Vendor Advisory
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-fjh3-g8gq-9q92Third Party Advisory
- https://packagist.org/packages/typo3/cms-backendRelease NotesThird Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2021-007Vendor Advisory
FAQ
What is CVE-2021-21340?
CVE-2021-21340 is a vulnerability with a CVSS score of 5.4 (MEDIUM). TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cros...
How severe is CVE-2021-21340?
CVE-2021-21340 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21340?
Check the references section above for vendor advisories and patch information. Affected products include: Typo3 Typo3.