VYPR
Moderate severityNVD Advisory· Published Aug 10, 2021· Updated Aug 3, 2024

Cross-Site Scripting via Rich-Text Content

CVE-2021-32768

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/cms-corePackagist
>= 7.0.0, < 7.6.537.6.53
typo3/cms-corePackagist
>= 8.0.0, < 8.7.428.7.42
typo3/cms-corePackagist
>= 10.0.0, < 10.4.1910.4.19
typo3/cms-corePackagist
>= 11.0.0, < 11.3.211.3.2
typo3/cms-corePackagist
>= 9.0.0, < 9.5.299.5.29
typo3/cmsPackagist
>= 10.0.0, < 10.4.1910.4.19
typo3/cmsPackagist
>= 11.0.0, < 11.3.211.3.2
typo3/cmsPackagist
>= 9.0.0, < 9.5.299.5.29
typo3/cmsPackagist
>= 8.0.0, < 8.7.428.7.42
typo3/cmsPackagist
>= 7.0.0, < 7.6.537.6.53

Affected products

4

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.