-
The content element preview for menus displays the menu type label along with the record title of the defined pages and categories. Since the output was not properly encoded, this led to a XSS vulnerability in the page module. The issue is addressed by properly encoding user input. Note: Because of a bug in `PreviewRenderer`, the vulnerable code was most likely not executed in any TYPO3 installation after v8.6.0. Resolves: #93664 Releases: master, 11.1, 10.4, 9.5 Change-Id: I56ec17f5f07ff4d7c28f2241e0c9eeee9affd71f Security-Bulletin: TYPO3-CORE-SA-2021-008 Security-References: CVE-2021-21370 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68417 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
1d0abfa0
