Cross-Site Scripting in Page Preview
Description
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 backend preview module (Web>View) is vulnerable to persistent XSS via unencoded Page TSconfig settings, requiring a valid backend user account.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the TYPO3 backend preview module (Web>View) in versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 [1]. The flaw occurs when Page TSconfig settings are not properly encoded, allowing malicious content to be stored and later rendered unsafely in the preview module.
Exploitation
Exploitation requires a valid backend user account [1]. An attacker with such access can craft malicious Page TSconfig settings that, when the preview module is loaded, execute arbitrary JavaScript in the browser of the backend user viewing the page preview.
Impact
Successful exploitation leads to persistent cross-site scripting. The attacker can execute arbitrary JavaScript in the context of the affected backend user's session, potentially leading to session theft, manipulation of backend actions, or data exfiltration [1].
Mitigation
The vulnerability is patched in TYPO3 versions 9.5.29, 10.4.18, and 11.3.1 [1]. Users should update to these or later releases. No workaround is documented; the fix ensures proper encoding of Page TSconfig settings in the preview module.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 9.0.0, < 9.5.28 | 9.5.28 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.18 | 10.4.18 |
typo3/cms-corePackagist | >= 11.0.0, < 11.3.1 | 11.3.1 |
typo3/cmsPackagist | >= 10.0.0, < 10.4.18 | 10.4.18 |
typo3/cmsPackagist | >= 11.0.0, < 11.3.1 | 11.3.1 |
typo3/cmsPackagist | >= 9.0.0, < 9.5.28 | 9.5.28 |
Affected products
4- osv-coords3 versions
>= 9.0.0, < 9.5.287+ 2 more
- (no CPE)range: >= 9.0.0, < 9.5.287
- (no CPE)range: >= 10.0.0, < 10.4.18
- (no CPE)range: >= 9.0.0, < 9.5.28
- TYPO3/TYPO3.CMSv5Range: >= 9.0.0, < 9.5.29
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-8mq9-fqv8-59wfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32667ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32667.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32667.yamlghsaWEB
- github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-8mq9-fqv8-59wfghsax_refsource_CONFIRMWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-8mq9-fqv8-59wfghsaWEB
- typo3.org/security/advisory/typo3-core-sa-2021-009ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.