TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This is fixed in versions 9.5.25, 10.4.14, 11.1.1.
CVE-2021-21359
MEDIUMNVD 5.95.9—
EchelonGraph scoreMEDIUM confidence
This medium-severity CVE scores 5.9 under NVD CVSS v3. EPSS exploit probability: 0.3%, top 45% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
Triggered by: NVD CVSS baseline
Sources: epss, nvd
5.9
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
- Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 2%CVSS: 5.9Exploit: NoneExposed: 0
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 5.9
- EG Score
- 5.9(medium)
- EPSS
- 74.9%
- KEV
- Not listed
Published
March 23, 2021
Last Modified
November 21, 2024
References (6)
- security-advisories@githubhttps://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p
- security-advisories@githubhttps://packagist.org/packages/typo3/cms-core
- security-advisories@githubhttps://typo3.org/security/advisory/typo3-core-sa-2021-005
- af854a3a-2127-422b-91ae-364da2661108https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p
- af854a3a-2127-422b-91ae-364da2661108https://packagist.org/packages/typo3/cms-core
- af854a3a-2127-422b-91ae-364da2661108https://typo3.org/security/advisory/typo3-core-sa-2021-005
Affected Packages
(2 across 1 ecosystem)
Packagist(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| typo3/cms | v9.0.0 ... v9.5.9 (34 versions) | 9.5.25 | — |
| typo3/cms-core | v9.0.0 ... v9.5.9 (34 versions) | 9.5.25 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Frequently asked(5)
What is CVE-2021-21359?
CVE-2021-21359 is a medium vulnerability published on March 23, 2021. TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a…
When was CVE-2021-21359 disclosed?
CVE-2021-21359 was first published in the National Vulnerability Database on March 23, 2021, with the most recent update on November 21, 2024. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2021-21359 actively exploited?
CVE-2021-21359 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 74.9% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2021-21359?
CVE-2021-21359 has a CVSS v3 base score of 5.9 (NVD).
How do I remediate CVE-2021-21359?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2021-21359, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-21359
Is Your Infrastructure Affected by CVE-2021-21359?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.