Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in typo3/cms-form
Description
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 Form Designer backend module vulnerable to XSS; requires authenticated access to form module. Fixed in versions 10.4.14 and 11.1.1.
Root
Cause The Form Designer backend module in TYPO3's Form Framework is vulnerable to cross-site scripting (XSS). The vulnerability arises from insufficient sanitization of user-supplied input when rendering form elements within the module [2].
Exploitation
To exploit the vulnerability, an attacker must have a valid backend user account with access to the form module. The attacker can craft malicious input that, when processed by the Form Designer, executes arbitrary JavaScript in the context of the TYPO3 backend [2].
Impact
Successful exploitation allows an attacker to execute malicious scripts in the browser of other backend users, potentially leading to session hijacking, data theft, or further compromise of the TYPO3 instance. Access to the form module is a prerequisite, limiting the attack surface to authenticated users [2].
Mitigation
The vulnerability has been patched in TYPO3 versions 10.4.14 and 11.1.1. Users should upgrade to these versions immediately. No workaround is available for older versions [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-formPackagist | >= 10.2.0, < 10.4.14 | 10.4.14 |
typo3/cms-formPackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.14 | 10.4.14 |
typo3/cms-corePackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
typo3/cmsPackagist | >= 10.0.0, < 10.4.14 | 10.4.14 |
typo3/cmsPackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
Affected products
5- osv-coords4 versions
>= 10.2.0, < 10.4.14+ 3 more
- (no CPE)range: >= 10.2.0, < 10.4.14
- (no CPE)range: >= 10.0.0, < 10.4.14
- (no CPE)range: >= 10.0.0, < 10.4.14
- (no CPE)range: >= 10.2.0, < 10.4.14
- TYPO3/TYPO3.CMSv5Range: >= 10.2.0, <= 10.4.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-x79j-wgqv-g8h2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21358ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21358.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21358.yamlghsaWEB
- github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x79j-wgqv-g8h2ghsax_refsource_CONFIRMWEB
- packagist.org/packages/typo3/cms-formghsax_refsource_MISCWEB
- typo3.org/security/advisory/typo3-core-sa-2021-004ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.