Vulnerability Description
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Typo3 | Typo3 | >= 7.0.0, <= 7.6.52 |
Related Weaknesses (CWE)
References
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-c5c9-8c6m-727vThird Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2021-013Vendor Advisory
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-c5c9-8c6m-727vThird Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2021-013Vendor Advisory
FAQ
What is CVE-2021-32768?
CVE-2021-32768 is a vulnerability with a CVSS score of 6.1 (MEDIUM). TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content...
How severe is CVE-2021-32768?
CVE-2021-32768 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32768?
Check the references section above for vendor advisories and patch information. Affected products include: Typo3 Typo3.