CVE-2021-36787

Name of the Vulnerable Software and Affected Versions femanager extension versions prior to 5.5.1 femanager extension versions 6.x prior to 6.3.1

Description The issue allows for Cross-Site Scripting (XSS) via a crafted SVG document. By default, the extension permits logged-in frontend users to upload SVG files as new profile images, which can lead to XSS when the uploaded image is used on the website.

Recommendations For versions prior to 5.5.1, update to version 5.5.1 or later. For versions 6.x prior to 6.3.1, update to version 6.3.1 or later. As a temporary workaround, consider disabling SVG file uploads for frontend users until a patch is applied. If SVG uploads are necessary, use the TYPO3 extension svg sanitizer to prevent malicious SVG file uploads or set up a strict Content Security Policy for the destination folder of uploaded images.