CVE-2021-32669: 
PHP vulnerability analysis and mitigation

TYPO3, an open source PHP based web content management system, versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 were found to contain a cross-site scripting vulnerability. The issue was discovered in July 2021 and tracked as CVE-2021-32669. The vulnerability affects the backend layout functionality of the system (TYPO3 Advisory, GitHub Advisory).

The vulnerability stems from improper encoding of settings for backend layouts, which makes the corresponding grid view vulnerable to persistent cross-site scripting. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows attackers with valid backend user accounts to inject malicious scripts into the backend grid view. Due to its persistent nature, the injected scripts would remain in the system and could affect other backend users who access the compromised grid view (TYPO3 Advisory).

The vulnerability has been patched in TYPO3 versions 9.5.29, 10.4.18, and 11.3.1. Users are advised to update to these or later versions to address the security issue. No alternative workarounds have been provided (TYPO3 Advisory).

The vulnerability was reported and fixed by TYPO3 core merger Oliver Bartsch. The TYPO3 team addressed the issue promptly by releasing patched versions (TYPO3 Advisory).