CVE-2021-21338: Open Redirection in Login Handling
First published: Tue Mar 16 2021(Updated: )
### Problem It has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability. ### Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Alexander Kellner who reported this issue and to TYPO3 security team member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2021-001](https://typo3.org/security/advisory/typo3-core-sa-2021-001)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/typo3/cms-core | >=10.0.0<10.4.14>=11.0.0<11.1.1>=9.0.0<9.5.25 | |
| composer/typo3/cms | >=10.0.0<10.4.14>=11.0.0<11.1.1>=9.0.0<9.5.25 | |
| Typo3 Typo3 | >=6.2.0<6.2.57 | |
| Typo3 Typo3 | >=7.0.0<7.6.51 | |
| Typo3 Typo3 | >=8.0.0<8.7.40 | |
| Typo3 Typo3 | >=9.0.0<9.5.25 | |
| Typo3 Typo3 | >=10.0.0<10.4.14 | |
| Typo3 Typo3 | >=11.0.0<11.1.1 | |
| composer/typo3/cms | >=9.0.0<9.5.25 | 9.5.25 |
| composer/typo3/cms | >=11.0.0<11.1.1 | 11.1.1 |
| composer/typo3/cms | >=10.0.0<10.4.14 | 10.4.14 |
| composer/typo3/cms-core | >=9.0.0<9.5.25 | 9.5.25 |
| composer/typo3/cms-core | >=11.0.0<11.1.1 | 11.1.1 |
| composer/typo3/cms-core | >=10.0.0<10.4.14 | 10.4.14 |
| composer/typo3/cms-core | >=8.0.0<=8.7.39 | 8.7.40 |
| composer/typo3/cms-core | >=7.0.0<=7.6.50 | 7.6.51 |
| composer/typo3/cms-core | >=6.2.0<=6.2.56 | 6.2.57 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://typo3.org/security/advisory/typo3-core-sa-2021-001
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4jhw-2p6j-5wmp
- https://packagist.org/packages/typo3/cms-core
- https://nvd.nist.gov/vuln/detail/CVE-2021-21338
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21338.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21338.yaml
- https://github.com/advisories/GHSA-4jhw-2p6j-5wmp (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this TYPO3 vulnerability?
The vulnerability ID is CVE-2021-21338.
What is the title of this TYPO3 vulnerability?
The title of this TYPO3 vulnerability is TYPO3-CORE-SA-2021-001: Open Redirection in Login Handling.
What is the severity of CVE-2021-21338?
The severity of CVE-2021-21338 has not been provided in the information provided.
Which versions of TYPO3 are affected by this vulnerability?
TYPO3 versions 10.0.0 to 10.4.14, 11.0.0 to 11.1.1, and 9.0.0 to 9.5.25 are affected by this vulnerability.
How can I fix the Open Redirection in Login Handling vulnerability in TYPO3?
To fix the Open Redirection in Login Handling vulnerability in TYPO3, update your TYPO3 installation to a version that is not affected by this vulnerability.
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4jhw-2p6j-5wmp
- alias/CVE-2021-21338
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/softwarecombine
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/composer
- vendor/typo3
- canonical/typo3 typo3
- version/typo3 typo3/6.2.0
- version/typo3 typo3/7.0.0
- version/typo3 typo3/8.0.0
- version/typo3 typo3/9.0.0
- version/typo3 typo3/10.0.0
- version/typo3 typo3/11.0.0