Cross-Site Scripting via Rich-Text Content
Description
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 CMS is vulnerable to cross-site scripting via rich-text content due to insufficient HTML sanitization, allowing malicious markup injection in the frontend.
Vulnerability
TYPO3 CMS versions 7.0.0 through 7.6.52 ELTS, 8.0.0 through 8.7.41 ELTS, 9.0.0 through 9.5.28, 10.0.0 through 10.4.18, and 11.0.0 through 11.3.1 are affected by a cross-site scripting (XSS) vulnerability in the rich-text content rendering process. The HTMLparser TypoScript function fails to properly parse, sanitize, and encode malicious HTML tags and attributes, allowing injection of arbitrary markup [1][2].
Exploitation
In a default configuration, a valid backend user account is required to exploit this vulnerability. However, if custom plugins in the website frontend accept and reflect rich-text content submitted by users, no authentication is needed. An attacker can craft malicious rich-text content that, when rendered by the frontend, executes arbitrary JavaScript in the context of the victim's browser [2].
Impact
Successful exploitation leads to cross-site scripting (XSS), enabling the attacker to execute arbitrary JavaScript in the victim's browser. This can result in information disclosure, session hijacking, or other malicious actions performed on behalf of the victim [1][2].
Mitigation
Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, or 11.3.2, which include the typo3/html-sanitizer package that sanitizes malicious markup based on allow-lists. This sanitization is applied to the default TypoScript path lib.parseFunc and to rich-text data from the backend user interface. No workaround is available without applying the fix [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 7.0.0, < 7.6.53 | 7.6.53 |
typo3/cms-corePackagist | >= 8.0.0, < 8.7.42 | 8.7.42 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.19 | 10.4.19 |
typo3/cms-corePackagist | >= 11.0.0, < 11.3.2 | 11.3.2 |
typo3/cms-corePackagist | >= 9.0.0, < 9.5.29 | 9.5.29 |
typo3/cmsPackagist | >= 10.0.0, < 10.4.19 | 10.4.19 |
typo3/cmsPackagist | >= 11.0.0, < 11.3.2 | 11.3.2 |
typo3/cmsPackagist | >= 9.0.0, < 9.5.29 | 9.5.29 |
typo3/cmsPackagist | >= 8.0.0, < 8.7.42 | 8.7.42 |
typo3/cmsPackagist | >= 7.0.0, < 7.6.53 | 7.6.53 |
Affected products
4- osv-coords3 versions
>= 7.0.0, < 7.6.52+ 2 more
- (no CPE)range: >= 7.0.0, < 7.6.52
- (no CPE)range: >= 10.0.0, < 10.4.19
- (no CPE)range: >= 7.0.0, < 7.6.53
- TYPO3/TYPO3.CMSv5Range: >= 7.0.0, < 7.6.53
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-c5c9-8c6m-727vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32768ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32768.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32768.yamlghsaWEB
- github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-c5c9-8c6m-727vghsax_refsource_CONFIRMWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-c5c9-8c6m-727vghsaWEB
- typo3.org/security/advisory/typo3-core-sa-2021-013ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.