CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2021-32768 – Cross-Site Scripting via Rich-Text Content
https://notcve.org/view.php?id=CVE-2021-32768
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-c5c9-8c6m-727v https://typo3.org/security/advisory/typo3-core-sa-2021-013 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-32767 – Information Disclosure in User Authentication
https://notcve.org/view.php?id=CVE-2021-32767
TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3 versions 9.5.28, 10.4.18, 11.3.1 contain a patch for this vulnerability. TYPO3 es un sistema de administración de contenidos web de código abierto basado en PHP. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-34fr-fhqr-7235 https://typo3.org/security/advisory/typo3-core-sa-2021-012 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 2CVE-2021-21365 – Cross-Site Scripting in Content Rendering
https://notcve.org/view.php?id=CVE-2021-21365
Bootstrap Package is a theme for TYPO3. It has been discovered that rendering content in the website frontend is vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. Users of the extension, who have overwritten the affected templates with custom code must manually apply the security fix. Update to version 7.1.2, 8.0.8, 9.1.4, 10.0.10 or 11.0.3 of the Bootstrap Package that fix the problem described. • https://github.com/benjaminkott/bootstrap_package/commit/de3a568fc311d6712d9339643e51e8627c80530b https://github.com/benjaminkott/bootstrap_package/security/advisories/GHSA-p48w-vf3c-rqjx https://typo3.org/security/advisory/typo3-ext-sa-2021-007 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2021-21370 – Cross-Site Scripting in Content Preview (CType menu)
https://notcve.org/view.php?id=CVE-2021-21370
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. TYPO3 es un sistema de gestión de contenidos web de código abierto basado en PHP. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh https://packagist.org/packages/typo3/cms-backend https://typo3.org/security/advisory/typo3-core-sa-2021-008 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-21339 – Cleartext storage of session identifier
https://notcve.org/view.php?id=CVE-2021-21339
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. TYPO3 es un sistema de gestión de contenidos web de código abierto basado en PHP. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch https://packagist.org/packages/typo3/cms-core https://typo3.org/security/advisory/typo3-core-sa-2021-006 • CWE-312: Cleartext Storage of Sensitive Information •