Lucene search
K

60 matches found

CVE
CVE
added 2024/01/06 12:0 a.m.54 views

CVE-2023-39853

CVE-2023-39853 affects Dzzoffice 2.01. A SQL injection vulnerability exists in the Network Disk backend module, exploitable via the doobj and doevent parameters to leak or access sensitive information. The NVD/CNA metrics indicate network access with low attack complexity and minimal privileges r...

6.5CVSS6.7AI score0.00744EPSS
Exploits1References1Affected Software1
Github Security Blog
Github Security Blog
added 2023/12/13 11:11 p.m.13 views

Broken Access Control in extension "femanager"

The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of the extensions...

6.9AI score0.00341EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2023/12/13 11:10 p.m.42 views

GHSA-P6XX-FHFW-7MJ7 Configuration Injection in extension "Direct Mail" (direct_mail)

The “Configuration” backend module of the extension allows an authenticated user to write arbitrary page TSConfig for folders configured as “Direct Mail”. Exploiting the vulnerability may lead to Configuration Injection TYPO3 10.4 and above and to Arbitrary Code Execution TYPO3 9.5 and below. A...

8.8CVSS7AI score0.01517EPSS
Exploits0References3
Veracode
Veracode
added 2022/12/15 6:24 a.m.32 views

Arbitrary Code Execution

typo3/cms and typo3/cms-core are vulnerable to arbitrary code execution. An attacker is able to inject and execute malicious TypoScript as PHP code due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module...

8.8CVSS9AI score0.00785EPSS
Exploits0References8Affected Software2
Veracode
Veracode
added 2022/12/15 5:42 a.m.23 views

Information Disclosure

typo3 is vulnerable to information disclosure. The vulnerability exists because the library does not properly handle user-submitted YAML placeholder expressions in the site configuration backend module which allows an attacker to access sensitive information of the system...

5.7CVSS5.3AI score0.00514EPSS
Exploits0References7Affected Software2
Prion
Prion
added 2022/12/14 8:15 a.m.16 views

Information disclosure

TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers coul...

3.3CVSS5.3AI score0.00514EPSS
Exploits0References1Affected Software1
Prion
Prion
added 2022/12/14 8:15 a.m.22 views

Code injection

TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible t...

6.5CVSS8.6AI score0.00785EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2022/12/14 7:51 a.m.51 views

CVE-2022-23503 TYPO3 vulnerable to Arbitrary Code Execution via Form Framework

TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible t...

7.5CVSS8.8AI score0.00785EPSS
Exploits0References1
OSV
OSV
added 2022/12/14 7:51 a.m.26 views

CVE-2022-23503 TYPO3 vulnerable to Arbitrary Code Execution via Form Framework

TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible t...

7.5CVSS8.6AI score0.00785EPSS
Exploits0References3
OSV
OSV
added 2022/12/13 5:13 p.m.25 views

GHSA-8W3P-QH3X-6GJR TYPO3 CMS vulnerable to Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration

CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C 5.3 Problem Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messag...

5.7CVSS5.5AI score0.00514EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2022/12/13 5:13 p.m.29 views

TYPO3 CMS vulnerable to Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration

CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C 5.3 Problem Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messag...

5.7CVSS5.5AI score0.00514EPSS
Exploits0References7Affected Software2
Tenable Nessus
Tenable Nessus
added 2022/12/13 12:0 a.m.27 views

TYPO3 8.0.0 < 8.7.49 ELTS / 9.0.0 < 9.5.38 ELTS / 10.0.0 < 10.4.33 / 11.0.0 < 11.5.20 / 12.0.0 < 12.1.1 (TYPO3-CORE-SA-2022-015)

The version of TYPO3 installed on the remote host is prior to 8.0.0 8.7.49 ELTS / 9.0.0 9.5.38 ELTS / 10.0.0 10.4.33 / 11.0.0 11.5.20 / 12.0.0 12.1.1. It is, therefore, affected by a vulnerability as referenced in the TYPO3-CORE-SA-2022-015 advisory. - Due to the lack of separating user-submitted...

8.8CVSS8AI score0.00785EPSS
Exploits0References2
OSV
OSV
added 2022/09/16 9:2 p.m.23 views

GHSA-6VFQ-JMXG-G58R Shopware contains sensitive data in backend customer module

Impact The request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. Patches We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the...

5.4CVSS5.3AI score0.00527EPSS
Exploits0References6
vulnersOsv
vulnersOsv
added 2022/06/17 1:11 a.m.6 views

@backstage-community/plugin-techdocs-backend-module-confluence (>=0.2.0 <=0.2.1), @backstage/plugin-search-backend-module-techdocs (>=0.0.0-nightly-20230323021924 <=0.4.15-next.0) +13 more potentially affected by unknown CVE via @backstage/plugin-techdocs-node (>=0.0.0-nightly-20220315022536 <=1.1.2-next.2)

@backstage/plugin-techdocs-node NPM version =0.0.0-nightly-20220315022536, =0.2.0, =0.0.0-nightly-20230323021924, =0.0.0-nightly-202111212297, =0.0.0-nightly-20220305022735, =1.0.0, =1.0.1, =1.6.0, =0.0.4, =1.9.1, =1.0.1, =1.0.1, =0.0.0-nightly-2022122206, =0.1.5, =0.1.2, =1.1.0 Source cves:...

5.7AI score
Exploits0
CVE
CVE
added 2022/06/14 8:50 p.m.101 views

CVE-2022-31048

TYPO3’s Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user with access to the Form module can exploit it. Affected TYPO3 versions prior to the fixes are 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11. The problem is fixed in those releas...

5.4CVSS5.1AI score0.00717EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2022/06/14 8:50 p.m.38 views

CVE-2022-31048 Cross-Site Scripting in Form Framework

TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit...

5.4CVSS5.5AI score0.00717EPSS
Exploits0References3
OSV
OSV
added 2022/05/24 5:3 p.m.78 views

GHSA-RCGC-4XFC-564V TYPO3 Insecure Deserialization in Query Generator & Query View

An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel Backend Module: DB...

8.8CVSS8.5AI score0.01267EPSS
Exploits0References5
OSV
OSV
added 2022/05/24 4:58 p.m.27 views

GHSA-J2W4-45QM-R674 direct_mail for Typo3 sensitive data exposure

The directmail aka Direct Mail extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user with restricted permissions to the feusers table to view and export data of frontend users who are subscribed to a newsletter...

4.3CVSS4.4AI score0.00685EPSS
Exploits0References5
OSV
OSV
added 2022/05/17 2:17 a.m.17 views

GHSA-733V-22MG-7F8W TYPO3 Cross-site Scripting vulnerability in the file backend module

Cross-site scripting XSS vulnerability in the file backend module in TYPO3 4.2.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors...

4.3CVSS5.5AI score0.01089EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2022/05/17 2:17 a.m.18 views

TYPO3 Cross-site Scripting vulnerability in the file backend module

Cross-site scripting XSS vulnerability in the file backend module in TYPO3 4.2.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors...

4.3CVSS6AI score0.01089EPSS
Exploits0References6Affected Software1
Rows per page
Query Builder