6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-36793

GHSA ID

GHSA-vpw5-grxx-v396

EPSS Score

0.48555%

CWE

CWE-668

Published

9/2/2021

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-36793

CVE-2021-36793: CSRF token exposure in TYPO3 extension

When using the CsrfTokenViewHelper the extension discloses the user's session identifier to HTML output without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance Cross Site Scripting in the frontend output.

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-36793

GHSA ID

GHSA-vpw5-grxx-v396

EPSS Score

0.48555%

CWE

CWE-668

Published

9/2/2021

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
lms/routes	composer	< 2.1.1	2.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly implicates the CsrfTokenViewHelper as the source of session ID exposure. In TYPO3 Fluid templating, ViewHelpers' render() methods generate output. The advisory indicates this helper outputs raw session tokens instead of hashed values, matching CWE-668's exposure pattern. The naming convention and vulnerability mechanism strongly point to the render method in this specific ViewHelper class being the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n usin* t** *sr*Tok*nVi*w**lp*r t** *xt*nsion *is*los*s t** us*r's s*ssion i**nti*i*r to *TML output wit*out pro**ssin* o* ***ition*l *rypto*r*p*i* **s*in* *l*orit*ms. T*is vuln*r**ility **nnot ** *xploit** *ir**tly *n* o**urs in *om*in*tion wit*

Reasoning

T** vuln*r**ility **s*ription *xpli*itly impli**t*s t** `*sr*Tok*nVi*w**lp*r` *s t** sour** o* s*ssion I* *xposur*. In TYPO* *lui* t*mpl*tin*, Vi*w**lp*rs' `r*n**r()` m*t*o*s **n*r*t* output. T** **visory in*i**t*s t*is **lp*r outputs r*w s*ssion tok

6.3

Basic Information

Concerned about an active attack path?

CVE-2021-36793: CSRF token exposure in TYPO3 extension

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI