Base Score

MEDIUM5.4

CVE-2021-21370

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateMar 23, 2021, 02:15

Affected Versions(11)

typo3/cms-backend(Packagist)

Introduced7.0.0

Fixed7.6.51

LimitN/A

typo3/cms-backend(Packagist)

Introduced8.0.0

Fixed8.7.40

LimitN/A

typo3/cms-backend(Packagist)

Introduced9.0.0

Fixed9.5.25

LimitN/A

typo3/cms-backend(Packagist)

Introduced10.0.0

Fixed10.4.14

LimitN/A

typo3/cms-backend(Packagist)

Introduced11.0.0

Fixed11.1.1

LimitN/A

typo3/cms-core(Packagist)

Introduced10.0.0

Fixed10.4.14

LimitN/A

typo3/cms-core(Packagist)

Introduced11.0.0

Fixed11.1.1

LimitN/A

typo3/cms-core(Packagist)

Introduced9.0.0

Fixed9.5.25

LimitN/A

typo3/cms(Packagist)

Introduced10.0.0

Fixed10.4.14

LimitN/A

typo3/cms(Packagist)

Introduced11.0.0

Fixed11.1.1

LimitN/A

typo3/cms(Packagist)

Introduced9.0.0

Fixed9.5.25

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
typo3/cms-backend(Packagist)	7.0.0	7.6.51	N/A
typo3/cms-backend(Packagist)	8.0.0	8.7.40	N/A
typo3/cms-backend(Packagist)	9.0.0	9.5.25	N/A
typo3/cms-backend(Packagist)	10.0.0	10.4.14	N/A
typo3/cms-backend(Packagist)	11.0.0	11.1.1	N/A
typo3/cms-core(Packagist)	10.0.0	10.4.14	N/A
typo3/cms-core(Packagist)	11.0.0	11.1.1	N/A
typo3/cms-core(Packagist)	9.0.0	9.5.25	N/A
typo3/cms(Packagist)	10.0.0	10.4.14	N/A
typo3/cms(Packagist)	11.0.0	11.1.1	N/A
typo3/cms(Packagist)	9.0.0	9.5.25	N/A

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

5.4

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

MEDIUM5.4

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

5.4

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

CVE-2021-21370

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateMar 23, 2021, 02:15

Package (Ecosystem)

Introduced

Fixed

Limit

typo3/cms-backend(Packagist)

7.0.0

7.6.51

N/A

typo3/cms-backend(Packagist)

8.0.0

8.7.40

N/A

typo3/cms-backend(Packagist)

9.0.0

9.5.25

N/A

typo3/cms-backend(Packagist)

10.0.0

10.4.14

N/A

typo3/cms-backend(Packagist)

11.0.0

11.1.1

N/A

typo3/cms-core(Packagist)

10.0.0

10.4.14

N/A

typo3/cms-core(Packagist)

11.0.0

11.1.1

N/A

typo3/cms-core(Packagist)

9.0.0

9.5.25

N/A

typo3/cms(Packagist)

10.0.0

10.4.14

N/A

typo3/cms(Packagist)

11.0.0

11.1.1

N/A

typo3/cms(Packagist)

9.0.0

9.5.25

N/A