CVE-2021-36787
Description
The femanager TYPO3 extension versions before 5.5.1 and 6.3.1 allow XSS via uploaded SVG profile images.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The femanager TYPO3 extension versions before 5.5.1 and 6.3.1 allow XSS via uploaded SVG profile images.
Vulnerability
The TYPO3 extension femanager for frontend user registration and management allows authenticated frontend users to upload SVG files as profile images. If the uploaded SVG is subsequently displayed on the website without sanitization, it can execute arbitrary JavaScript in the context of the victim's browser. The issue affects versions before 5.5.1 and versions 6.0.0 to 6.3.0 inclusive [1][4].
Exploitation
An attacker must be a logged-in frontend user with permission to upload a profile image. They craft a malicious SVG containing JavaScript payload and upload it through the normal profile image upload feature. When another user or administrator views a page that renders this SVG image (e.g., a user list or the attacker's profile), the payload executes in their browser. No further user interaction is required beyond navigating to the affected page [4].
Impact
Successful exploitation leads to stored cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the context of the victim's session, potentially leading to information disclosure (e.g., stealing session tokens or CSRF tokens), modifying page content, or performing actions on behalf of the victim. The scope of impact is limited by the permissions of the victim user [1][4].
Mitigation
The issue is fixed in versions 5.5.1 and 6.3.1, released on August 10, 2021. Users should update the femanager extension to at least these versions via the TYPO3 extension manager, Packagist, or the TYPO3 Extension Repository [3][4]. If SVG uploads are required, it is recommended to use the TYPO3 extension svg_sanitizer (added to TYPO3 core since versions 9.5.28, 10.4.18 and 11.3.0) or to set up a strict Content Security Policy for the destination folder of uploaded images [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
in2code/femanagerPackagist | < 5.5.1 | 5.5.1 |
in2code/femanagerPackagist | >= 6.0.0, < 6.3.1 | 6.3.1 |
Affected products
2- TYPO3/femanagerdescription
Patches
170f873c60f0e[TASK] Disallow .svg as upload filetype
2 files changed · +2 −2
Classes/Domain/Service/FileService.php+1 −1 modified@@ -27,7 +27,7 @@ class FileService /** * @var string */ - protected $fallbackExtensions = 'jpg,jpeg,png,gif,bmp,svg,tif,tiff'; + protected $fallbackExtensions = 'jpg,jpeg,png,gif,bmp,tif,tiff'; /** * FileService constructor.
Configuration/TypoScript/Main/setup.typoscript+1 −1 modified@@ -1545,7 +1545,7 @@ plugin.tx_femanager { uploadSize = 25000000 # Number of allowed images to upload - uploadFileExtension = jpeg, jpg, gif, png, bmp, svg, tif, tiff + uploadFileExtension = jpeg, jpg, gif, png, bmp, tif, tiff # Width of the rendered image in FE renderImageWidth = 250
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-f3rf-v9qm-9c89ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36787ghsaADVISORY
- packetstormsecurity.com/files/165675/TYPO3-femanager-6.3.0-Cross-Site-Scripting.htmlghsax_refsource_MISCWEB
- seclists.org/fulldisclosure/2022/Jan/53ghsamailing-listx_refsource_FULLDISCWEB
- extensions.typo3.org/extension/femanagerghsaWEB
- github.com/in2code-de/femanager/commit/70f873c60f0e40ffd6a1300218ca368156fc1bf2ghsaWEB
- github.com/in2code-de/femanager/releases/tag/6.3.1ghsaWEB
- typo3.org/help/security-advisories/securityghsax_refsource_MISCWEB
- typo3.org/security/advisory/typo3-ext-sa-2021-010ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.