12 matches found
TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController
Problem The ShowImageController eID txcmsshowpic lacks a cryptographic HMAC-signature on the frame HTTP query parameter e.g. /index.php?eID=txcmsshowpic?file=3&...&frame=12345. This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side...
GHSA-Q9W4-W667-QQJ4 ckeditor-wordcount-plugin vulnerable to Cross-site Scripting in Source Mode of Editor
Problem It has been discovered that the ckeditor-wordcount-plugin plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. Solution Update to version 1.17.12 of the ckeditor-wordcount-plugin plugin. Credits @sypets for reporting this finding to the TYPO3...
ckeditor-wordcount-plugin vulnerable to Cross-site Scripting in Source Mode of Editor
Problem It has been discovered that the ckeditor-wordcount-plugin plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. Solution Update to version 1.17.12 of the ckeditor-wordcount-plugin plugin. Credits @sypets for reporting this finding to the TYPO3...
GHSA-P48W-VF3C-RQJX Cross-Site Scripting in Bootstrap Package
Problem It has been discovered that rendering content in the website frontend is vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. The following templates are affected by the vulnerability:...
Multiple vulnerabilities in extension phpMyAdmin (phpmyadmin)
It has been discovered that the extension "phpMyAdmin" phpmyadmin is susceptible to unsafe comparison of XSRF/CSRF token, multiple full path disclosure vulnerabilities, multiple XSS vulnerabilities, insecure password generation in JavaScript. Release Date: March 10, 2016 Component Type: Third par...
Cross-site scripting vulnerability in extension powermail for TYPO3 (powermail)
It has been discovered that the extension "powermail" powermail is vulnerable to Cross-Site Scripting, SQL Injection and Arbitrary Code Execution. Release Date: August 8, 2012 Bulletin update: August 9, 2012 added update help for extension manager, added further download link Component Type: Thir...
Cross-Site Scripting and Open Redirection vulnerability in extension phpMyAdmin (phpmyadmin)
It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Cross-Site Scripting and Open Redirection. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.10.3 and below Vulnerability Type:...
Multiple vulnerabilities in third party extensions
Several vulnerabilities have been found in the following third party TYPO3 extensions: "CoolURI" cooluri, "Reset backend password" cwtresetbepassword, "datamints Newsticker" datamintsnewsticker, "Gobernalia Front End News Submitter" gbfenewssubmit, "Mailform" mailform, "Myth download" mythdownloa...
TYPO3 Security Bulletin
It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to SQL injections via XSRF. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.1.1 and all versions below Vulnerability Type: SQL injectio...
Multiple vulnerabilities in extension Statistics (ke_stats)
It has been discovered that the extension Statistics kestats is vulnerable to Blind SQL Injection attacks. Also, a Cross Site Scripting issue has been found. Component Type: Third party extension. This extension is not part of the TYPO3 default installation. Affected Versions: Version 0.1.2 and...
Remote shell command execution in extensions embedding PHPMailer
Multiple TYPO3 extensions is affected by the third party tool PHPMailer, which is vulnerable to a remote shell command execution. Component Type: Third party tool. This tool is not part of the TYPO3 default installation. Affected extensions: agprjmgm version 0.0.1 bbphpmailer version 1.73.1 and a...
Multiple vulnerabilities in extension mm_forum
It has been discovered that the extension mmforum is vulnerable to multiple SQL Injection attacks and multiple XSS flaws alongside other vulnerabilities. Component Type: Third party extension. This extension is not part of the TYPO3 default installation. Affected Versions: Version 0.1.2 and all...