148 matches found
CVE-2020-11063
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2...
CVE-2020-11063
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2...
Default credentials
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2...
Information Disclosure in Password Reset
In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2...
Information Disclosure in Password Reset
It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email address exists or not...
GHSA-4MVC-QC5W-V5QR Information disclosure in the Contao backend
Impact Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. Patches Update to Contao 4.4.46 or 4.8.6. Workarounds None. References https://contao.org/en/security-advisories/information-disclosure-in-the-back-end For more information If...
Design/Logic Flaw
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them...
TYPO3 9.3.x <= 9.5.7 Broken Access Control Vulnerability
TYPO3 CMS is susceptible to a broken access control vulnerability. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:typo3:typo3"; ...
Information Disclosure in Page Tree
It has been discovered backend users not having read access to specific pages still could see them in the page tree which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability...
Broken Access Control in Localization Handling
It has been discovered that backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability...
Arbitrary Code Execution via File List Module
Due to missing file extensions in $GLOBALS'TYPO3CONFVARS''BE'‘fileDenyPattern’, backend users are allowed to upload .phar, .shtml, .pl or .cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability...
CVE-2010-3659
Multiple cross-site scripting XSS vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified...
CVE-2010-3659
CVE-2010-3659 concerns multiple cross-site scripting (XSS) flaws in TYPO3 CMS. The vulnerabilities affect TYPO3 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1, allowing remote authenticated backend users to inject arbitrary script/HTML via unspecified paramet...
Missing Access Check in TYPO3 CMS
It has been discovered, that TYPO3 CMS lacks an access check for Extbase actions. Component Type: TYPO3 CMS Release Date: May 24, 2016 Vulnerable subcomponent: Extbase Vulnerability Type: Missing access check Affected Versions: Versions 4.3.0 up to 8.1.0 Severity: Critical Suggested CVSS v2.0:...
A directory traversal vulnerability allows back end users to view files outside their document root
More info at https://contao.org/en/news/directory-traversal-vulnerability-cve-2015-0269.html...
TYPO3 Authentication Subcomponent Authentication Bypass Vulnerability
TYPO3 is prone to an authentication bypass vulnerability. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:typo3:typo3";...
CVE-2014-3949
Cross-site scripting XSS vulnerability in the layout wizard in the Grid Elements gridelements extension before 1.5.1 and 2.0.x before 2.0.3 for TYPO3 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors...
Cross site scripting
Cross-site scripting XSS vulnerability in the layout wizard in the Grid Elements gridelements extension before 1.5.1 and 2.0.x before 2.0.3 for TYPO3 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors...
CVE-2014-3949
Cross-site scripting XSS vulnerability in the layout wizard in the Grid Elements gridelements extension before 1.5.1 and 2.0.x before 2.0.3 for TYPO3 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors...
CVE-2014-3949
CVE-2014-3949 describes a cross-site scripting (XSS) vulnerability in the Grid Elements (gridelements) TYPO3 extension. The issue affects the layout wizard in versions before 1.5.1 and 2.0.x before 2.0.3, allowing a remote authenticated backend user to inject arbitrary script or HTML via unspecif...