CVE-2021-21370

MEDIUM

Typo3 < 7.6.51 - XSS

Title source: rule

Description

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.

References (3)

[Third Party Advisory] https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh

[Release Notes, Third Party Advisory] https://packagist.org/packages/typo3/cms-backend

[Vendor Advisory] https://typo3.org/security/advisory/typo3-core-sa-2021-008

Scores

CVSS v3 5.4

EPSS 0.0034

EPSS Percentile 56.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (4)

typo3/typo3 < 7.6.51

typo3/cms-backend < 7.6.51Packagist

typo3/cms-core < 10.4.14Packagist

typo3/cms < 10.4.14Packagist

Timeline

Published Mar 23, 2021

Tracked Since Feb 18, 2026