Cross-Site Scripting in Content Preview
Description
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1 .
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 backend descriptionColumn fields are vulnerable to stored XSS when previewed, requiring a valid backend user account; fixed in 10.4.14 and 11.1.1.
CVE-2021-21340 is a cross-site scripting (XSS) vulnerability in the TYPO3 content management system, affecting versions prior to 10.4.14 and 11.1.1. The issue arises because database fields designated as the *descriptionColumn* are not properly sanitized before being rendered in previews. When a backend user views a record in the TYPO3 backend interface, the content of these description fields is displayed without adequate escaping, allowing an attacker to inject malicious JavaScript [1][2].
To exploit this vulnerability, an attacker must have a valid backend user account with the ability to edit records and modify the content of a descriptionColumn field. The attack does not require any special privileges beyond standard backend access. When the crafted content is later previewed by another backend user (or the same user), the injected script executes in the context of the victim's browser session within the TYPO3 backend [2][3].
Successful exploitation can lead to a range of attacks, including session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. Because the script runs in the backend interface, it can access cookies, CSRF tokens, and perform administrative operations. The vulnerability is classified as a stored XSS (also known as Type 2 or persistent XSS) since the payload persists in the database and triggers when the content is rendered [2][4].
The TYPO3 project has addressed this vulnerability in releases 10.4.14 and 11.1.1. Administrators are strongly advised to update their installations to these versions or later. No workarounds have been provided for unpatched versions, and as of the publication date, there is no evidence of exploitation in the wild according to CISA's known exploited vulnerabilities catalog [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-backendPackagist | >= 10.0.0, < 10.4.14 | 10.4.14 |
typo3/cms-backendPackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.14 | 10.4.14 |
typo3/cms-corePackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
typo3/cmsPackagist | >= 10.0.0, < 10.4.14 | 10.4.14 |
typo3/cmsPackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
Affected products
5- osv-coords4 versions
>= 10.0.0, < 10.4.14+ 3 more
- (no CPE)range: >= 10.0.0, < 10.4.14
- (no CPE)range: >= 10.0.0, < 10.4.14
- (no CPE)range: >= 10.0.0, < 10.4.14
- (no CPE)range: >= 10.0.0, < 10.4.14
- TYPO3/TYPO3.CMSv5Range: >= 10.0.0, <= 10.4.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-fjh3-g8gq-9q92ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21340ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21340.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21340.yamlghsaWEB
- github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-fjh3-g8gq-9q92ghsax_refsource_CONFIRMWEB
- packagist.org/packages/typo3/cms-backendghsax_refsource_MISCWEB
- typo3.org/security/advisory/typo3-core-sa-2021-007ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.