CVE-2021-32768Cross-site Scripting in CMS

CWE-79Cross-site ScriptingCWE-392Missing Report of Error ConditionCWE-252Unchecked Return Value5 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.3%
top 48.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Typo3 CMSTypo3 Cms-coreTypo3+1 more
Timeline
PublishedAug 10
Latest updateFeb 28

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

Packagisttypo3/cms10.0.010.4.19+4
Packagisttypo3/cms-core7.0.07.6.53+4
NVDtypo3/typo37.0.07.6.52+4
CVEListV5typo3/typo3.cms5 versions+4

🔴Vulnerability Details

3
OSV
Cross-Site Scripting via Rich-Text Content2021-08-19
GHSA
Cross-Site Scripting via Rich-Text Content2021-08-19
CVEList
Cross-Site Scripting via Rich-Text Content2021-08-10

📋Vendor Advisories

1
Red Hat
kernel: spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails2024-02-28
CVE-2021-32768 — Cross-site Scripting in Typo3 CMS | cvebase