CVE-2021-21340: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

March 23, 2021 (updated March 24, 2021)

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as descriptionColumn are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1 .

References

github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-fjh3-g8gq-9q92
github.com/advisories/GHSA-fjh3-g8gq-9q92
nvd.nist.gov/vuln/detail/CVE-2021-21340
packagist.org/packages/typo3/cms-backend
typo3.org/security/advisory/typo3-core-sa-2021-007

Detect and mitigate CVE-2021-21340 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →