CVE-2021-21358: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in typo3/cms-form
First published: Tue Mar 16 2021(Updated: )
### Problem It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 10.4.14 or 11.1.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue. ### References * [TYPO3-CORE-SA-2021-004](https://typo3.org/security/advisory/typo3-core-sa-2021-004)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/typo3/cms | >=10.0.0<10.4.14>=11.0.0<11.1.1 | |
| composer/typo3/cms-core | >=10.0.0<10.4.14>=11.0.0<11.1.1 | |
| Typo3 Typo3 | >=10.2.0<10.4.14 | |
| Typo3 Typo3 | >=11.0.0<11.1.1 | |
| composer/typo3/cms | >=11.0.0<11.1.1 | 11.1.1 |
| composer/typo3/cms | >=10.0.0<10.4.14 | 10.4.14 |
| composer/typo3/cms-core | >=11.0.0<11.1.1 | 11.1.1 |
| composer/typo3/cms-core | >=10.0.0<10.4.14 | 10.4.14 |
| composer/typo3/cms-form | >=11.0.0<=11.1.0 | 11.1.1 |
| composer/typo3/cms-form | >=10.2.0<=10.4.13 | 10.4.14 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://typo3.org/security/advisory/typo3-core-sa-2021-004
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x79j-wgqv-g8h2
- https://packagist.org/packages/typo3/cms-form
- https://nvd.nist.gov/vuln/detail/CVE-2021-21358
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21358.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21358.yaml
- https://github.com/advisories/GHSA-x79j-wgqv-g8h2 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this TYPO3 vulnerability?
The vulnerability ID for this TYPO3 vulnerability is CVE-2021-21358.
What is the title of this TYPO3 vulnerability?
The title of this TYPO3 vulnerability is TYPO3-CORE-SA-2021-004: Cross-Site Scripting in Form Framework.
What is the description of this TYPO3 vulnerability?
The description of this TYPO3 vulnerability is Cross-Site Scripting in Form Framework.
What software versions are affected by this TYPO3 vulnerability?
The affected software versions for this TYPO3 vulnerability are TYPO3 CMS Core 10.0.0 up to 10.4.14 and 11.0.0 up to 11.1.1.
Where can I find more information about this TYPO3 vulnerability?
You can find more information about this TYPO3 vulnerability at the following reference: [TYPO3-CORE-SA-2021-004](https://typo3.org/security/advisory/typo3-core-sa-2021-004).
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-x79j-wgqv-g8h2
- alias/CVE-2021-21358
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/composer
- vendor/typo3
- canonical/typo3 typo3
- version/typo3 typo3/10.2.0
- version/typo3 typo3/11.0.0