Vulnerability Description
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Typo3 | Typo3 | >= 7.0.0, < 7.6.51 |
Related Weaknesses (CWE)
References
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qhThird Party Advisory
- https://packagist.org/packages/typo3/cms-backendRelease NotesThird Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2021-008Vendor Advisory
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qhThird Party Advisory
- https://packagist.org/packages/typo3/cms-backendRelease NotesThird Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2021-008Vendor Advisory
FAQ
What is CVE-2021-21370?
CVE-2021-21370 is a vulnerability with a CVSS score of 5.4 (MEDIUM). TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulner...
How severe is CVE-2021-21370?
CVE-2021-21370 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21370?
Check the references section above for vendor advisories and patch information. Affected products include: Typo3 Typo3.