CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2021-32668 – Cross-Site Scripting in Query Generator & Query View
https://notcve.org/view.php?id=CVE-2021-32668
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When error messages are not properly encoded, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-6mh3-j5r5-2379 https://typo3.org/security/advisory/typo3-core-sa-2021-010 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-32667 – Cross-Site Scripting in Page Preview
https://notcve.org/view.php?id=CVE-2021-32667
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-8mq9-fqv8-59wf https://typo3.org/security/advisory/typo3-core-sa-2021-009 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 2CVE-2021-21365 – Cross-Site Scripting in Content Rendering
https://notcve.org/view.php?id=CVE-2021-21365
Bootstrap Package is a theme for TYPO3. It has been discovered that rendering content in the website frontend is vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. Users of the extension, who have overwritten the affected templates with custom code must manually apply the security fix. Update to version 7.1.2, 8.0.8, 9.1.4, 10.0.10 or 11.0.3 of the Bootstrap Package that fix the problem described. • https://github.com/benjaminkott/bootstrap_package/commit/de3a568fc311d6712d9339643e51e8627c80530b https://github.com/benjaminkott/bootstrap_package/security/advisories/GHSA-p48w-vf3c-rqjx https://typo3.org/security/advisory/typo3-ext-sa-2021-007 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21359 – Denial of Service in Page Error Handling
https://notcve.org/view.php?id=CVE-2021-21359
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This is fixed in versions 9.5.25, 10.4.14, 11.1.1. TYPO3 es un sistema de gestión de contenidos web de código abierto basado en PHP. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p https://packagist.org/packages/typo3/cms-core https://typo3.org/security/advisory/typo3-core-sa-2021-005 • CWE-405: Asymmetric Resource Consumption (Amplification) CWE-674: Uncontrolled Recursion •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2021-21370 – Cross-Site Scripting in Content Preview (CType menu)
https://notcve.org/view.php?id=CVE-2021-21370
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. TYPO3 es un sistema de gestión de contenidos web de código abierto basado en PHP. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh https://packagist.org/packages/typo3/cms-backend https://typo3.org/security/advisory/typo3-core-sa-2021-008 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •