cbcvebase.
CVE-2021-32768
published 2021-08-10

CVE-2021-32768: TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode…

PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.73%
49.5th percentile
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described.

Affected

20 ranges
VendorProductVersion rangeFixed in
typo3cms>= 10.0.0 < 10.4.1910.4.19
typo3cms>= 11.0.0 < 11.3.211.3.2
typo3cms>= 7.0.0 < 7.6.537.6.53
typo3cms>= 8.0.0 < 8.7.428.7.42
typo3cms>= 9.0.0 < 9.5.299.5.29
typo3cms-core>= 10.0.0 < 10.4.1910.4.19
typo3cms-core>= 11.0.0 < 11.3.211.3.2
typo3cms-core>= 7.0.0 < 7.6.537.6.53
typo3cms-core>= 8.0.0 < 8.7.428.7.42
typo3cms-core>= 9.0.0 < 9.5.299.5.29
typo3typo310.0.0 – 10.4.18
typo3typo311.0.0 – 11.3.1
typo3typo37.0.0 – 7.6.52
typo3typo38.0.0 – 8.7.41
typo3typo39.0.0 – 9.5.28
typo3typo3.cms
typo3typo3.cms
typo3typo3.cms
typo3typo3.cms
typo3typo3.cms

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.