Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-36788

CVE-2021-36788:
Cross-site Scripting in the yoast_seo TYPO3 extension

5.4

CVSS Score

Basic Information

CVE ID
CVE-2021-36788
GHSA ID
GHSA-28w5-j8xj-2xwc
EPSS Score
-
CWE
CWE-79
Published
9/1/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
yoast-seo-for-typo3/yoast_seocomposer< 7.2.37.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch explicitly adds sanitization (strip_tags() in PHP, stripFullTags() in JS) to these functions. The original code in PreviewService.php decoded HTML entities without removing tags, StructuredDataProviderManager.php allowed unsafe JSON slashes, and the JS actions lacked input sanitization. These un-sanitized outputs would render user-controlled data directly into HTML/script contexts, creating XSS opportunities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *xt*nsion **ils to prop*rly *n*o** us*r input *or output in *TML *ont*xt. * TYPO* ***k*n* us*r ***ount is r*quir** to *xploit t** vuln*r**ility.

Reasoning

T** p*t** *xpli*itly ***s s*nitiz*tion (strip_t**s() in P*P, strip*ullT**s() in JS) to t**s* *un*tions. T** ori*in*l *o** in Pr*vi*wS*rvi**.p*p ***o*** *TML *ntiti*s wit*out r*movin* t**s, Stru*tur****t*Provi**rM*n***r.p*p *llow** uns*** JSON sl*s**s