473 matches found
Sanitization bypass in SVG Sanitizer
The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+xml were not affected...
Insecure direct object reference in extension "Varnishcache" (varnishcache)
The Edge Site Includes ESI content element renderer component of the extension does not include an access check. This allows an unauthenticated user to render various content elements, resulting in insecure direct object reference IDOR with the potential of exposing internal content elements...
Server-side request forgery in extension "Kitodo.Presentation" (dlf)
A missing access check in an eID script of the extension allows an unauthenticated user to submit arbitrary URLs to this component. This results in Server-side request forgery allowing users to view the content of any file or webpage the webserver has access to...
File Content Injection in extension "Hardcoded text to Locallang" (mqk_locallangtools)
The extension fails to verify the filename of saved language files which results in File Content Injection. An authenticated user with editor permissions can use the vulnerability to inject predefined content into any file the webserver has access to resulting in affected files being corrupted...
Cross-Site Scripting in extension "Bookdatabase" (extbookdatabase)
The extension bundles a vulnerable version of the 3rd party JavaScript component “Datatables” which was known to be vulnerable against Cross-Site Scripting...
Statement on Recent log4j/log4shell Vulnerabilities (CVE-2021-44228)
The critical vulnerability that was recently exposed in the log4j Java library is currently going through the media and some TYPO3 users are unsure whether TYPO3 CMS or TYPO3 extensions are affected by this vulnerability too...
Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters
TYPO3 core internally uses the TypoScript function typolink to generate links to pages. The typolink property addQueryString can be used to append all query parameters—present in a corresponding HTTP request—to generated links. This typolink behavior does not have any functionality to determine...
Denial of Service in extension "Code Highlight" (codehighlight)
The extension bundles a vulnerable version of the 3rd party JavaScript component “prism” which is known to be vulnerable against Regular expression Denial of Service ReDoS...
Cross-Site Scripting in extension "Google for Jobs" (google_for_jobs)
The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability...
Sensitive Data Exposure in extension "Job Fair" (jobfair)
The extension fails to protect or obfuscate filenames of uploaded files. This allows unauthenticated users to download files with sensitive data by simply guessing the filename of uploaded files e.g uploads/txjobfair/cv.pdf...
Multiple vulnerabilities in extension "pixx.io integration for TYPO3 (DAM)" (pixxio)
The extension fails to restrict the image download to the configured pixx.io DAM URL resulting in Server-side request forgery. As a result of the Server-side request forgery vulnerability, an attacker can download various content from a remote location and save it to a user controlled filename...
HTTP Host Header Injection in Request Handling
It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can b...
Cross-Site-Request-Forgery in Backend URI Handling
It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery...
Cross-Site Scripting via Rich-Text Content
Failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser do not consider all potentially malicious HTML tag ...
Cross Site Scripting in Extension "Yoast SEO for TYPO3" (yoast_seo)
The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability...
SQL Injection in extension "Newsletter" (newsletter)
It has been discovered that the extension is susceptible to SQL Injection when processing bounced emails...
Denial of Service in Extension "Deferred image processing" (deferred_image_processing)
Wrong usage of the TYPO3 FAL API results in copies of processed files being saved to the /var/transient/ folder of a TYPO3 website on every frontend request. This can result in Denial of Service, since the webspace may be filled up with image files simply by crafting a large amount of requests to...
Multiple vulnerabilities in Extension "Miniorange Saml" (miniorange_saml)
The extension fails to properly encode user input for output in HTML context CVE-2021-36785. Also the extension contains sensitive data API credentials and private key which should not have been published CVE-2021-36786. Finally the extension bundles several 3rd Party Components jQuery and...
Multiple vulnerabilities in Extension "Dated News" (dated_news)
The extension fails to properly encode user input for output in HTML context CVE-2021-36790 and contains a blind SQL injection vulnerability CVE-2021-36789. It is also possible to confirm various applications CVE-2021-36792 and thereby obtain all application registration data CVE-2021-36791...
Sensitive Information Disclosure in “Extbase Yaml Routes” (routes)
When using the CsrfTokenViewHelper the extension discloses the user's session identifier to HTML output without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance Cross Site...
Cross-Site Scripting in Extension "femanager" (femanager)
The extension allows by default to upload SVG files when a logged in frontend user uploads a new profile image. This may lead to Cross-Site Scripting, when the uploaded SVG image is used as is on the website...
Cross-Site Scripting in Page Preview
Failing to properly encode Page TSconfig settings, the corresponding page preview module WebView is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability...
Sensitive links in search results of TYPO3 extension indexed_search
On TYPO3 websites where the “Indexed Search” extension is used, sensitive links may get indexed. The problem occurs when a TYPO3 page contains a plugin that handles possible sensitive actions via HTTP GET parameters e.g. confirmation action for a newsletter subscription, or similar token-based...
CSV Code Injection
CSV code injection is an attack scenario, where untrusted user input is written to a CSV file and leads to the execution of code formulas when the file is consumed by an external application e.g. Microsoft Excel or Google Sheets. As a result, this may lead to Data Exfiltration or Remote Code...
Cross-Site Scripting in Query Generator & Query View
Failing to properly encode error messages, the components QueryGenerator and QueryView are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability...
Information Disclosure in User Authentication
It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the default configuration...
Cross-Site Scripting in Backend Grid View
Failing to properly encode settings for backend layouts, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability...
Cross-Site Scripting in extension "Bootstrap Package" (bootstrap_package)
The extension fails to properly encode user input for output in HTML context. The following templates are affected by the vulnerability:...
Server-side request forgery in extension "Yoast SEO for TYPO3" (yoast_seo)
The extension fails to restrict analyzed URLs to domains managed by the current TYPO3 website. A logged in TYPO3 backend user can use the vulnerability to make HTTP requests to arbitrary domains including the webserver itself or other internally managed resources...
Cross-Site Scripting in extension "2 Clicks for External Media" (media2click)
The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability...
SQL Injection in extension "Dynamic Content Element" (dce)
The extension fails to properly sanitize user input and is susceptible to SQL Injection. A TYPO3 backend user account is required to exploit the vulnerability...
Broken Access Control in Form Framework
Due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework...
Unrestricted File Upload in Form Framework
Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default fileDenyPattern successfully blocked files like .htaccess or malicious.php...
Cross-Site Scripting in Form Framework
It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability...
Denial of Service in extension "Code Highlight" (codehighlight)
The extension bundles a vulnerable version of the 3rd party JavaScript component “prism” which is known to be vulnerable against Regular expression Denial of Service ReDoS...
Cross-Site Scripting in Content Preview
It has been discovered that database fields used as descriptionColumn are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability...
Open Redirection in Login Handling
It has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability...
Cross-Site Scripting in Content Preview
It has been discovered that content elements of type menu are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability...
SQL Injection in extension "VHS: Fluid ViewHelpers" (vhs)
It has been discovered that the extension is susceptible to blind SQL Injection when user input is passed to the isLanguageViewHelper...
Cleartext storage of session identifier
User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system...
Denial of Service in Page Error Handling
Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack...
Cross-Site Scripting in extension "Aimeos shop and e-commerce framework" (aimeos)
The extension fails to properly encode user input for output in HTML context. A valid backend user account with access to the Aimeos module is needed to exploit this vulnerability...
Denial of Service in extension "Authenticator" (defbu_authenticator)
The extension bundles demo files of a 3rd party QR Code generator allowing a remote user to create QR Codes saved as PNG files on the webserver. This can result in Denial of Service, since the webspace can be filled up with a large amount of PNG files...
Sensitive Data Exposure in extension "View frontend statistics" (view_statistics)
The extension saves all GET and POST data of TYPO3 frontend requests to the database. Depending on the extensions used on a TYPO3 website, sensitive data e.g. plain text passwords if ext:felogin is installed may be saved...
XML External Entity in Dashboard Widget
It has been discovered that RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions...
Cleartext storage of session identifier
User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system...
Cross-Site Scripting through Fluid view helper arguments
Three XSS vulnerabilities have been detected in Fluid:...
Mitigation of Cross-Site Scripting Vulnerabilities in File Upload Handling
According to TYPO3-PSA-2019-010 authenticated users - but not having administrator privileges - are allowed to upload files to their granted file mounts e.g. fileadmin/ in most cases. This also includes the possibility to upload potential malicious code in HTML or SVG files using JavaScript,...
Cross-Site Scripting in Fluid view helpers
It has been discovered that system extension Fluid typo3/cms-fluid of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers...
Multiple vulnerabilities in extension "phpMyAdmin" (phpmyadmin)
Multiple vulnerabilities have been found in the phpMyAdmin component...