364 matches found
XML External Entity (XXE) Injection
Overview tpwd/kesearch is a search extension for TYPO3, including faceting search functions. Affected versions of this package are vulnerable to XML External Entity XXE Injection via the OOXML parsing of the file indexer, external entity resolution is not disabled. A crafted XLSX or PPTX document...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the extension failing to safely process untrusted client input of an attacker-controlled cookie directly to PHP's unserialize. A remote, unauthenticated attacker can supply a crafted serialized...
SQL Injection in extension "News system" (news)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-010...
CVE-2026-46725
The CVE-2026-46725 vulnerability affects the TYPO3 extension Content Element Selector (ceselector). The issue arises when an attacker-controlled cookie is passed directly to PHP unserialize() without safe input handling, enabling PHP Object Injection that can lead to Remote Code Execution on the ...
CVE-2026-46725 Remote Code Execution in extension "Content Element Selector" (ceselector)
The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...
TYPO3 Extension Faceted Search 路径遍历漏洞
TYPO3 Extension Faceted Search is an open-source extension for TYPO3 that enables faceted search. TYPO3 Extension Faceted Search has a path traversal vulnerability. This vulnerability stems from the fact that the file indexer does not normalize the configured directory paths. As a result, backend...
TYPO3-EXT-SA-2026-013: Remote Code Execution in extension "Content Element Selector" (ceselector)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-013...
EUVD-2026-3591
mailqueue TYPO3 extension affected by Insecure Deserialization...
CVE-2026-0895
The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core...
CVE-2009-4161
Cross-site scripting XSS vulnerability in the AN Search it! ansearchit extension 2.4.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
CVE-2009-4701
SQL injection vulnerability in the Myth download mythdownload extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors...
CVE-2009-4710
SQL injection vulnerability in the Reset backend password cwtresetbepassword extension 1.20 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors...
CVE-2009-4969
SQL injection vulnerability in the Solidbase Bannermanagement SBbanner extension 1.0.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors...
CVE-2009-4165
SQL injection vulnerability in the simple Glossar simpleglossar extension 1.0.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors...
CVE-2009-4705
Cross-site scripting XSS vulnerability in the Twitter Search twittersearch extension before 0.1.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
CVE-2009-4400
Cross-site scripting XSS vulnerability in the Parish Administration Database steparishadmin extension 0.1.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
CVE-2009-4398
Cross-site scripting XSS vulnerability in the Parish of the Holy Spirit Religious Art Gallery hsreligiousartgallery extension 0.1.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
CVE-2009-4392
SQL injection vulnerability in the XDS Staff List xdsstaff extension 0.0.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors...
CVE-2009-4949
SQL injection vulnerability in the Store Locator extension before 1.2.8 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors...
CVE-2009-4163
SQL injection vulnerability in the TW Productfinder twproductfinder extension 0.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors...