VulnerableCode Package Details - pkg:composer/typo3/cms@10.4.18

Search for packages

Vulnerability	Summary	Fixed by
VCID-tvq8-qbwc-qkfs Aliases: CVE-2021-32768 GHSA-c5c9-8c6m-727v	Cross-Site Scripting via Rich-Text Content > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC` (5.7) ### Problem Failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality _[HTMLparser](https://docs.typo3.org/m/typo3/reference-typoscript/10.4/en-us/Functions/Htmlparser.html)_ do not consider all potentially malicious HTML tag & attribute combinations per default. In addition, the lack of comprehensive default node configuration for rich-text fields in the backend user interface fosters this malfunction. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. ### Solution Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described above. Custom package _[typo3/html-sanitizer](https://github.com/TYPO3/html-sanitizer)_ - based on allow-lists only - takes care of sanitizing potentially malicious markup. The default behavior is based on safe and commonly used markup - however, this can be extended or restricted further in case it is necessary for individual scenarios. During the frontend rendering process, sanitization is applied to the default TypoScript path `lib.parseFunc`, which is implicitly used by the Fluid view-helper instruction `f:format.html`. Rich-text data persisted using the backend user interface is sanitized as well. Implementation details are explained in corresponding [ChangeLog documentation](https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.html). ### Credits Thanks to Benjamin Stiber, Gert-Jan Jansma, Gábor Ács-Kurucz, Alexander Kellner, Richie Lee, Nina Rösch who reported this issue, and to TYPO3 security team member Oliver Hader, as well as TYPO3 contributor Susanne Moog who fixed the issue. ### References * [TYPO3-CORE-SA-2021-013](https://typo3.org/security/advisory/typo3-core-sa-2021-013)	10.4.19 Affected by 0 other vulnerabilities. 11.3.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-tvq8-qbwc-qkfs
Aliases:
CVE-2021-32768
GHSA-c5c9-8c6m-727v

Cross-Site Scripting via Rich-Text Content > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC` (5.7) ### Problem Failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality _[HTMLparser](https://docs.typo3.org/m/typo3/reference-typoscript/10.4/en-us/Functions/Htmlparser.html)_ do not consider all potentially malicious HTML tag & attribute combinations per default. In addition, the lack of comprehensive default node configuration for rich-text fields in the backend user interface fosters this malfunction. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. ### Solution Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described above. Custom package _[typo3/html-sanitizer](https://github.com/TYPO3/html-sanitizer)_ - based on allow-lists only - takes care of sanitizing potentially malicious markup. The default behavior is based on safe and commonly used markup - however, this can be extended or restricted further in case it is necessary for individual scenarios. During the frontend rendering process, sanitization is applied to the default TypoScript path `lib.parseFunc`, which is implicitly used by the Fluid view-helper instruction `f:format.html`. Rich-text data persisted using the backend user interface is sanitized as well. Implementation details are explained in corresponding [ChangeLog documentation](https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.html). ### Credits Thanks to Benjamin Stiber, Gert-Jan Jansma, Gábor Ács-Kurucz, Alexander Kellner, Richie Lee, Nina Rösch who reported this issue, and to TYPO3 security team member Oliver Hader, as well as TYPO3 contributor Susanne Moog who fixed the issue. ### References * [TYPO3-CORE-SA-2021-013](https://typo3.org/security/advisory/typo3-core-sa-2021-013)

10.4.19
Affected by 0 other vulnerabilities.

11.3.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7vrs-6mah-2fh9	Cross-Site Scripting in Query Generator & Query View > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.5) ### Problem Failing to properly encode error messages, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-010](https://typo3.org/security/advisory/typo3-core-sa-2021-010)	CVE-2021-32668 GHSA-6mh3-j5r5-2379
VCID-ks2k-ehk8-nqbm	Cross-Site Scripting in Backend Grid View ### Problem Failing to properly encode settings for _backend layouts_, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue.	CVE-2021-32669 GHSA-rgcg-28xm-8mmw
VCID-rmnv-emnu-6bfy	Information Disclosure in User Authentication > ### Meta > * CVSS: `AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the _default_ configuration. ### Solution Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Ingo Schmitt who reported this issue, and to TYPO3 core & security team member Benni Mack who fixed the issue. ### References * [TYPO3-CORE-SA-2021-012](https://typo3.org/security/advisory/typo3-core-sa-2021-012)	CVE-2021-32767 GHSA-34fr-fhqr-7235
VCID-v92t-hba5-9uec	Cross-Site Scripting in Page Preview > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC` (5.0) ### Problem Failing to properly encode _Page TSconfig_ settings, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2021-009](https://typo3.org/security/advisory/typo3-core-sa-2021-009)	CVE-2021-32667 GHSA-8mq9-fqv8-59wf

Vulnerability

Summary

Aliases

VCID-7vrs-6mah-2fh9

Cross-Site Scripting in Query Generator & Query View > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.5) ### Problem Failing to properly encode error messages, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-010](https://typo3.org/security/advisory/typo3-core-sa-2021-010)

CVE-2021-32668
GHSA-6mh3-j5r5-2379

VCID-ks2k-ehk8-nqbm

Cross-Site Scripting in Backend Grid View ### Problem Failing to properly encode settings for _backend layouts_, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue.

CVE-2021-32669
GHSA-rgcg-28xm-8mmw

VCID-rmnv-emnu-6bfy

Information Disclosure in User Authentication > ### Meta > * CVSS: `AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the _default_ configuration. ### Solution Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Ingo Schmitt who reported this issue, and to TYPO3 core & security team member Benni Mack who fixed the issue. ### References * [TYPO3-CORE-SA-2021-012](https://typo3.org/security/advisory/typo3-core-sa-2021-012)

CVE-2021-32767
GHSA-34fr-fhqr-7235

VCID-v92t-hba5-9uec

Cross-Site Scripting in Page Preview > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC` (5.0) ### Problem Failing to properly encode _Page TSconfig_ settings, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2021-009](https://typo3.org/security/advisory/typo3-core-sa-2021-009)

CVE-2021-32667
GHSA-8mq9-fqv8-59wf

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:11:49.020924+00:00	GitLab Importer	Affected by	VCID-tvq8-qbwc-qkfs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2021-32768.yml	36.1.3
2025-07-01T18:11:46.151289+00:00	GitLab Importer	Fixing	VCID-ks2k-ehk8-nqbm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2021-32669.yml	36.1.3
2025-07-01T18:11:46.105046+00:00	GitLab Importer	Fixing	VCID-7vrs-6mah-2fh9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2021-32668.yml	36.1.3
2025-07-01T18:11:45.992955+00:00	GitLab Importer	Fixing	VCID-v92t-hba5-9uec	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2021-32667.yml	36.1.3
2025-07-01T18:11:45.838097+00:00	GitLab Importer	Fixing	VCID-rmnv-emnu-6bfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2021-32767.yml	36.1.3
2025-07-01T12:19:33.300753+00:00	GithubOSV Importer	Fixing	VCID-7vrs-6mah-2fh9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-6mh3-j5r5-2379/GHSA-6mh3-j5r5-2379.json	36.1.3
2025-07-01T12:19:32.230662+00:00	GithubOSV Importer	Fixing	VCID-ks2k-ehk8-nqbm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-rgcg-28xm-8mmw/GHSA-rgcg-28xm-8mmw.json	36.1.3
2025-07-01T12:19:31.436880+00:00	GithubOSV Importer	Fixing	VCID-v92t-hba5-9uec	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-8mq9-fqv8-59wf/GHSA-8mq9-fqv8-59wf.json	36.1.3
2025-07-01T12:19:30.851924+00:00	GithubOSV Importer	Fixing	VCID-rmnv-emnu-6bfy	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-34fr-fhqr-7235/GHSA-34fr-fhqr-7235.json	36.1.3