CVE-2021-32768

2021-08-1017:15:10

Google

osv.dev

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.3%

JSON

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described.

CPENameOperatorVersion
bootstrap_packageeq14.0.3
bootstrap_packageeq7.0.0
bootstrap_packageeq12.0.1
bootstrap_packageeq9.4.0
bootstrap_packageeq9.0.1
bootstrap_packageeq7.0.3
bootstrap_packageeq9.0.3
bootstrap_packageeq11.0.0
bootstrap_packageeq9.3.0
bootstrap_packageeq11.3.0

Name	Operator	Version
bootstrap_package	eq	14.0.3
bootstrap_package	eq	7.0.0
bootstrap_package	eq	12.0.1
bootstrap_package	eq	9.4.0
bootstrap_package	eq	9.0.1
bootstrap_package	eq	7.0.3
bootstrap_package	eq	9.0.3
bootstrap_package	eq	11.0.0
bootstrap_package	eq	9.3.0
bootstrap_package	eq	11.3.0