CVE-2021-21358 : Security Advisory and Response

TYPO3.CMS, a PHP-based web content management system, versions before 10.4.14 and 11.1.1 are vulnerable to cross-site scripting in the Form Framework's Form Designer backend module.

Understanding CVE-2021-21358

TYPO3 CMS versions 10.2.0 to 10.4.13 and 11.0.0 to 11.1.0 are affected by a cross-site scripting vulnerability in the Form Designer backend module.

What is CVE-2021-21358?

The vulnerability in TYPO3.CMS allows an attacker with a valid backend user account to execute cross-site scripting attacks through the Form Designer backend module.

The Impact of CVE-2021-21358

With a CVSS base score of 5.4 (Medium), this vulnerability requires low privileges and user interaction, posing a risk of confidentiality and integrity compromise.

Technical Details of CVE-2021-21358

The CVE-2021-21358 vulnerability is classified as CWE-79 - Cross-site Scripting (XSS).

Vulnerability Description

A flaw in the Form Framework's Form Designer backend module allows attackers to execute cross-site scripting attacks with a valid backend user account.

Affected Systems and Versions

TYPO3.CMS versions >= 10.2.0, <= 10.4.13
TYPO3.CMS versions >= 11.0.0, <= 11.1.0

Exploitation Mechanism

Attackers exploit this vulnerability by injecting malicious scripts through the Form Designer backend module in TYPO3.CMS.

Mitigation and Prevention

To address CVE-2021-21358, immediate action and long-term security practices are essential.

Immediate Steps to Take

Update TYPO3.CMS to versions 10.4.14 or 11.1.1 to patch the vulnerability.
Restrict access to the Form Designer backend module to authorized users only.

Long-Term Security Practices

Regularly monitor security advisories and apply patches promptly to prevent similar vulnerabilities.

Patching and Updates

Stay informed about security updates for TYPO3.CMS and promptly apply patches to secure your systems.