Cross-Site Scripting in Content Preview (CType menu)

2021-03-2301:54:17

Google

osv.dev

0.001 Low

EPSS

Percentile

26.4%

JSON

Problem

It has been discovered that content elements of type menu are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.

Credits

Thanks to TYPO3 contributor Oliver Bartsch who reported and fixed the issue.

References

TYPO3-CORE-SA-2021-008

CPENameOperatorVersion
typo3/cms-backendeq9.3.3
typo3/cms-coreeq11.0.0
typo3/cms-coreeq9.3.1
typo3/cms-coreeq9.5.14
typo3/cms-backendeq9.5.11
typo3/cms-backendeq8.7.9
typo3/cmseq9.5.11
typo3/cms-backendeq11.1.0
typo3/cmseq9.5.21
typo3/cmseq9.0.0

Name	Operator	Version
typo3/cms-backend	eq	9.3.3
typo3/cms-core	eq	11.0.0
typo3/cms-core	eq	9.3.1
typo3/cms-core	eq	9.5.14
typo3/cms-backend	eq	9.5.11
typo3/cms-backend	eq	8.7.9
typo3/cms	eq	9.5.11
typo3/cms-backend	eq	11.1.0
typo3/cms	eq	9.5.21
typo3/cms	eq	9.0.0