Cross-Site Scripting in Content Preview (CType menu)
Description
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 CMS menu content elements are vulnerable to stored XSS when previewed in the page module, requiring a valid backend user account.
Vulnerability
CVE-2021-21370 is a cross-site scripting (XSS) vulnerability in TYPO3, an open-source PHP-based web content management system. The flaw exists in content elements of type menu. When these menu items are previewed in the page module, the referenced items are not properly sanitized, allowing malicious script content to be executed [1][2]. The root cause lies in insufficient output encoding of data used in the preview context.
Exploitation
Exploitation requires a valid backend user account with access to the page module [2]. An attacker with such privileges can craft a menu content element that references items containing malicious JavaScript. When the menu is previewed, the injected script executes in the browser of the backend user viewing the preview [3][4]. This is a stored XSS scenario, as the malicious content is persisted in the database.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the backend session. This can lead to session hijacking, unauthorized actions on behalf of the victim, or theft of sensitive information displayed in the backend interface. The attack is limited to authenticated users, reducing the pool of potential victims but still posing a significant risk within trusted environments.
Mitigation
The vulnerability is patched in TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, and 11.1.1 [2]. Administrators are advised to upgrade to these or later versions immediately. No workarounds have been published, and the vendor recommends applying the patch as the only reliable fix [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-backendPackagist | >= 7.0.0, < 7.6.51 | 7.6.51 |
typo3/cms-backendPackagist | >= 8.0.0, < 8.7.40 | 8.7.40 |
typo3/cms-backendPackagist | >= 9.0.0, < 9.5.25 | 9.5.25 |
typo3/cms-backendPackagist | >= 10.0.0, < 10.4.14 | 10.4.14 |
typo3/cms-backendPackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.14 | 10.4.14 |
typo3/cms-corePackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
typo3/cms-corePackagist | >= 9.0.0, < 9.5.25 | 9.5.25 |
typo3/cmsPackagist | >= 10.0.0, < 10.4.14 | 10.4.14 |
typo3/cmsPackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
typo3/cmsPackagist | >= 9.0.0, < 9.5.25 | 9.5.25 |
Affected products
5- osv-coords4 versions
>= 7.0.0, < 7.6.51+ 3 more
- (no CPE)range: >= 7.0.0, < 7.6.51
- (no CPE)range: >= 10.0.0, < 10.4.14
- (no CPE)range: >= 7.0.0, < 7.6.51
- (no CPE)range: >= 10.0.0, < 10.4.14
- TYPO3/TYPO3.CMSv5Range: >= 7.0.0, <= 7.6.50
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-x7hc-x7fm-f7qhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21370ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21370.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21370.yamlghsaWEB
- github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qhghsax_refsource_CONFIRMWEB
- packagist.org/packages/typo3/cms-backendghsax_refsource_MISCWEB
- typo3.org/security/advisory/typo3-core-sa-2021-008ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.