CVE-2021-36793

Name of the Vulnerable Software and Affected Versions TYPO3 routes extension versions prior to 2.1.1

Description The issue allows sensitive information disclosure because a session identifier is present in HTML output when CsrfTokenViewHelper is used. This occurs when the extension discloses the user's session identifier to HTML output without additional cryptographic hashing algorithms. The vulnerability cannot be exploited directly and requires a chained attack, such as Cross Site Scripting in the frontend output.

Recommendations For versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue. As a temporary workaround, consider disabling the CsrfTokenViewHelper until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.