Strix
26.1K

CVE-2021-32768

MEDIUMCVSS 6.1/10EPSS 0.73%

Last modified

CVE-2021-32768 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. EPSS estimates a 0.73% chance of exploitation in the next 30 days.

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described.

Metrics

CVSS 3.1
6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.73%

49.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Typo3Typo3>= 7.0.0, <= 7.6.52
Typo3Typo3>= 8.0.0, <= 8.7.41
Typo3Typo3>= 9.0.0, <= 9.5.28
Typo3Typo3>= 10.0.0, <= 10.4.18
Typo3Typo3>= 11.0.0, <= 11.3.1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-32768?
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described.
How severe is CVE-2021-32768?
CVE-2021-32768 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.73% probability of exploitation in the next 30 days.
How do I fix CVE-2021-32768?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-32768?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST