CVE-2021-36787
EPSS 0.69%Cross-site Scripting in the femanager TYPO3 extension
Published: 9/1/2021Modified: 12/2/2024
Also known as:GHSA-f3rf-v9qm-9c89
Description
The extension allows by default to upload SVG files when a logged in frontend user uploads a new profile image. This may lead to Cross-Site Scripting, when the uploaded SVG image is used as is on the website. Note: If SVG uploads are required, it is recommended to use the TYPO3 extension svg_sanitizer (added to TYPO3 core since versions 9.5.28, 10.4.18 and 11.3.0) to prevent upload of malicious SVG files or to set up a strict Content Security Policy for the destination folder of uploaded images.
Affected packages (1)
- Packagist/in2code/femanagerfrom 0, < 5.5.1
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-36787
- PATCHhttps://github.com/in2code-de/femanager
- WEBhttp://packetstormsecurity.com/files/165675/TYPO3-femanager-6.3.0-Cross-Site-Scripting.html
- WEBhttp://seclists.org/fulldisclosure/2022/Jan/53
- WEBhttps://extensions.typo3.org/extension/femanager
- WEBhttps://github.com/in2code-de/femanager/commit/70f873c60f0e40ffd6a1300218ca368156fc1bf2
- WEBhttps://github.com/in2code-de/femanager/releases/tag/6.3.1
- WEBhttps://typo3.org/help/security-advisories/security
- WEBhttps://typo3.org/security/advisory/typo3-ext-sa-2021-010