Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-36785

CVE-2021-36785:
Cross-site Scripting in TYPO3 extension

8.5

CVSS Score

Basic Information

CVE ID
CVE-2021-36785
GHSA ID
GHSA-jj8r-p9f5-fmvv
EPSS Score
-
CWE
CWE-79
Published
8/30/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
miniorange/miniorange-samlcomposer< 1.4.31.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing output encoding in template rendering functions. The patch added strip_tags() around implode() operations in both processTemplateContent() and getTableContent(), indicating these were points where user-controlled data (nameId and attribute values) was being injected into HTML without proper sanitization. The CWE-79 description and direct correlation with the security fixes in these specific functions confirm their vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** minior*n**_s*ml (*k* Minior*n** S*ml) *xt*nsion ***or* *.*.* *or TYPO* *llows XSS.

Reasoning

T** vuln*r**ility st*ms *rom missin* output *n*o*in* in t*mpl*t* r*n**rin* *un*tions. T** p*t** ***** strip_t**s() *roun* implo**() op*r*tions in *ot* pro**ssT*mpl*t**ont*nt() *n* **tT**l**ont*nt(), in*i**tin* t**s* w*r* points w**r* us*r-*ontroll**