Skip to content
Snippets Groups Projects
Commit 65a5246c authored by Oliver Bartsch's avatar Oliver Bartsch Committed by Oliver Hader
Browse files

[SECURITY] Mitigate XSS in PreviewRenderer for menus 

The content element preview for menus displays the
menu type label along with the record title of the
defined pages and categories. Since the output was
not properly encoded, this led to a XSS vulnerability
in the page module.

The issue is addressed by properly encoding user input.

Note: Because of a bug in `PreviewRenderer`, the
vulnerable code was most likely not executed in any
TYPO3 installation after v8.6.0.

Resolves: #93664
Releases: master, 11.1, 10.4, 9.5
Change-Id: I56ec17f5f07ff4d7c28f2241e0c9eeee9affd71f
Security-Bulletin: TYPO3-CORE-SA-2021-008
Security-References: CVE-2021-21370
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68453


Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
parent 2f35faff
Branches
Tags
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment