CVE-2021-21340

MEDIUM

Typo3 < 10.4.14 - XSS

Title source: rule

Description

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1 .

References (3)

[Third Party Advisory] https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-fjh3-g8gq-9q92

[Release Notes, Third Party Advisory] https://packagist.org/packages/typo3/cms-backend

[Vendor Advisory] https://typo3.org/security/advisory/typo3-core-sa-2021-007

Scores

CVSS v3 5.4

EPSS 0.0038

EPSS Percentile 59.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (4)

typo3/typo3 < 10.4.14

typo3/cms-backend < 10.4.14Packagist

typo3/cms-core < 10.4.14Packagist

typo3/cms < 10.4.14Packagist

Timeline

Published Mar 23, 2021

Tracked Since Feb 18, 2026