CVE-2021-21370

MEDIUM

TYPO3 < 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 - Authenticated Cross-Site Scripting in Menu Content Element Preview

Title source: llm

Description

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.

References (3)

Core 3

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://packagist.org/packages/typo3/cms-backend

Third Party Advisory x_refsource_confirm

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh

Vendor Advisory x_refsource_misc

https://typo3.org/security/advisory/typo3-core-sa-2021-008

Scores

CVSS v3 5.4

EPSS 0.0034

EPSS Percentile 57.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

typo3/cms 10.0.0 - 10.4.14Packagist

typo3/cms-backend 7.0.0 - 7.6.51Packagist

typo3/cms-core 10.0.0 - 10.4.14Packagist

typo3/typo3 7.0.0 - 7.6.51

Published Mar 23, 2021

Tracked Since Feb 18, 2026