CVE-2021-36793: 
PHP vulnerability analysis and mitigation

The vulnerability (CVE-2021-36793) affects the routes (aka Extbase Yaml Routes) extension before version 2.1.1 for TYPO3. When using the CsrfTokenViewHelper, the extension allows Sensitive Information Disclosure because a session identifier is unsafely present in HTML output. The vulnerability was disclosed on August 10, 2021 (TYPO3 Advisory).

The vulnerability occurs when the CsrfTokenViewHelper is used, which exposes the user's session identifier in HTML output without proper cryptographic hashing algorithms. The vulnerability has a CVSS v3.1 Base Score of 7.5 HIGH with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue specifically relates to the improper handling of session identifiers in the HTML output (TYPO3 Advisory).

This vulnerability could lead to session identifier exposure, which cannot be exploited directly but could be leveraged as part of a chained attack, such as Cross Site Scripting in the frontend output. The exposure of session identifiers could potentially lead to unauthorized access to user sessions (TYPO3 Advisory).

The vulnerability has been fixed in version 2.1.1 of the routes extension. Users are advised to update to this version as soon as possible. The update is available through the TYPO3 extension manager, Packagist, and can be downloaded directly from the TYPO3 extension repository (TYPO3 Advisory).