473 matches found
Information Disclosure in TYPO3 Backend
It has been discovered, that TYPO3 is susceptible to Information Disclosure. Component Type: TYPO3 CMS Release Date: July 19, 2016 Vulnerable subcomponent: Backend Vulnerability Type: Information Disclosure Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0 Severity: L...
Cross-Site Scripting in extension "News system" (news)
It has been discovered that the extension "News system" news is susceptible to Cross-Site Scripting. Release Date: September 30, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 3.2.1 and below Vulnerability Typ...
Authentication Bypass in TYPO3 CMS 4.5
It has been discovered that TYPO3 CMS 4.5.x is vulnerable to Authentication Bypass. Component Type: TYPO3 CMS Vulnerability Types: Authentication Bypass Overall Severity: Critical Release Date: February 19, 2015 Bulletin Update: February 23, 2015 added CVE Vulnerable subcomponent: rsaauth system...
Several vulnerabilities in third party extensions
Several vulnerabilities have been found in the following third-party TYPO3 extensions: browser, kesearch, locator, realurlmanagement, wfqbe Release Date: August 05, 2013 Bulletin update: September 5, 2014 added CVEs Please read first: This Collective Security Bulletin CSB is a listing of vulnerab...
Unrestricted File Upload in Form Framework
Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default fileDenyPattern successfully blocked files like .htaccess or malicious.php...
Cross Site Scripting vulnerability in extension Questionaire (pbsurvey)
It has been discovered that the extension Questionaire pbsurvey is susceptible to Cross Site Scripting XSS attacks. Component Type: Third party extension. This extension is not part of the TYPO3 default installation. Affected Versions: Version 1.2.0 and below Vulnerability Type: Cross Site...
Multiple Vulnerabilities in TYPO3 CMS
It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. Component Type: TYPO3 CMS Vulnerability Types: Cross-Site Scripting, Insecure Unserialize, Improper...
Mass Assignment in extension Direct Mail Subscription (direct_mail_subscription)
It has been discovered that the extension "Direct Mail Subscription" directmailsubscription is susceptible to Mass Assignment. Release Date: February 12, 2014 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 2.0.0 an...
Incomplete Access Management and Remote Code Execution Vulnerability in TYPO3 Core
It has been discovered that TYPO3 Core has Incomplete Access Management and is vulnerable to Remote Code Execution Component Type: TYPO3 Core Vulnerability Types: Cross-Site Scripting, Remote Code Execution Overall Severity: Critical Release Date: September 4, 2013 Vulnerable subcomponent: File...
Access Bypass in extensions "Yet Another Gallery" (yag) and "Tools for Extbase development" (pt_extbase)
It has been discovered that the extensions "Yet Another Gallery" yag and "Tools for Extbase development" ptextbase are susceptible to Access Bypass Release Date: February 12, 2014 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected...
Multiple vulnerabilities in TYPO3 Core
It has been discovered that TYPO3 Core is vulnerable to Arbitrary Code Execution, Path Traversal, Cross-Site Scripting XSS, SQL injection and Information Disclosure. Component Type: TYPO3 Core Affected Versions: 4.2.15 and below, 4.3.8 and below, 4.4.4 and below Vulnerability Types: Arbitrary Cod...
Cross-Site Scripting in Content Preview
It has been discovered that content elements of type menu are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability...
Multiple Vulnerabilities in TYPO3 CMS
It has been discovered that TYPO3 CMS is vulnerable to Denial of Service and Arbitrary Shell Execution! Component Type: TYPO3 CMS Vulnerability Types: Denial of Service, Arbitrary Shell Execution Overall Severity: Medium Release Date: October 22, 2014 Vulnerable subcomponent: OpenID System...
Multiple vulnerabilities in Content Rating Extbase (content_rating_extbase)
It has been discovered that the extension "Content Rating Extbase" contentratingextbase is susceptible to Cross-Site Scripting and SQL Injection. Release Date: January 9, 2015 Bulletin Update: February 23, 2015 added CVEs Component Type: Third party extension. This extension is not a part of the...
Several vulnerabilities in extension JobControl (dmmjobcontrol)
It has been discovered that the extension "JobControl" dmmjobcontrol is susceptible to Cross-Site Scripting and SQL Injection. Release Date: September 25, 2014 Bulletin update: October 6, 2014 added CVEs Component Type: Third party extension. This extension is not a part of the TYPO3 default...
Several vulnerabilities in third party extensions
Several vulnerabilities have been found in the following third-party TYPO3 extensions: alphasitemap, femanager kestats, outstats, pxphpids, smarty, wecmap Release Date: February 12, 2014 Bulletin update: September 18, 2014 added CVEs Please read first: This Collective Security Bulletin CSB is a...
Statement on Recent log4j/log4shell Vulnerabilities (CVE-2021-44228)
The critical vulnerability that was recently exposed in the log4j Java library is currently going through the media and some TYPO3 users are unsure whether TYPO3 CMS or TYPO3 extensions are affected by this vulnerability too...
Captcha Bypass in extension "powermail" (powermail)
It has been discovered that the extension "powermail" powermail is susceptible to Captcha Bypass Release Date: April 10, 2014 Bulletin update: September 18, 2014 added CVE Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions:...
Several vulnerabilities in third party extensions
Several vulnerabilities have been found in the following third-party TYPO3 extensions: attacalendar, attacpetition, eusubscribe, exinitjoboffer, fefilebrowser, jscssoptimizer, kkcsv2table, lonewsseo, mnmysql2json, newssearch, tipafriendplus, twitterauth, sofortueberweisung2commerce, sysmessages...
Blind SQL Injection vulnerability in extension "powermail" (powermail)
It has been discovered that the extension powermail powermail is vulnerable to Blind SQL Injection. Release Date: May 11, 2011 Version 1 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.6.0, 1.6.1 and 1.6.2...
Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting and Remote Code Execution Component Type: TYPO3 Core Vulnerability Types: Cross-Site Scripting, Remote Code Execution Overall Severity: Critical Release Date: July 30, 2013 Vulnerable subcomponent: Third Party Libraries...
Vulnerability in TYPO3 Core
It has been discovered that TYPO3 Core is vulnerable to authentication bypass. Component Type: TYPO3 Core Affected Versions: TYPO3 version 4.3.0 with enabled system extension "openid" Vulnerability Types: Authentication Bypass Overall Severity: High Release Date: January 14, 2010 Vulnerable...
SQL Injection in extension "VHS: Fluid ViewHelpers" (vhs)
It has been discovered that the extension is susceptible to blind SQL Injection when user input is passed to the isLanguageViewHelper...
Multiple vulnerabilities in extension "Ajax mail subscription" (ods_ajaxmailsubscription)
It has been discovered that the extension "Ajax mail subscription" odsajaxmailsubscription is susceptible to Insecure Authentication and Session Handling. Release Date: March 24, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected...
Authentication Bypass in TYPO3 CMS
It has been discovered that TYPO3’s Salted Password system extension which is a mandatory system component is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance. In standard TYPO3 core distributions stored passwords using the blowfish hashing...
Multiple vulnerabilities in extension phpMyAdmin (phpmyadmin)
It has been discovered that the extension "phpMyAdmin" phpmyadmin is susceptible to Cross-Site Scripting, Denial of Service and Local File Inclusion. Release Date: December 8, 2014 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected...
Several vulnerabilities in extension Apache Solr for TYPO3 (solr)
It has been discovered that the extension "Apache Solr for TYPO3" solr is vulnerable to Cross-Site Scripting and Insecure Unserialize. Release Date: September 25, 2013 Bulletin Update: November 06, 2014 added CVEs Component Type: Third party extension. This extension is not a part of the TYPO3...
Non-Persistent Cross-Site Scripting
It has been discovered, that TYPO3 is susceptible to Non-Persistent Cross-Site Scripting Component Type: TYPO3 CMS Release Date: September 8, 2015 Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.14, 7.0.0 to 7.3.0 Severity: Low...
Several vulnerabilities in third party extensions
Several vulnerabilities have been found in the following third-party TYPO3 extensions: booking, cronmmratsinfo, icsawstats, iflowgallery, keuserregister, metabeawstatsind, powermailoptin, smarty, youtubevideos Release Date: September 25, 2013 Please read first: This Collective Security Bulletin C...
Link spoofing and cache poisoning vulnerabilities in TYPO3 CMS
It has been discovered that TYPO3 CMS is vulnerable to Link Spoofing and Cache Poisoning. Component Type: TYPO3 CMS Vulnerability Types: Link Spoofing, Cache Poisoning Overall Severity: Medium Release Date: December 10, 2014 Vulnerable subcomponent: Frontend Rendering Vulnerability Type: Link...
Cross-Site Scripting in jQuery before 3.4.0
jQuery before 3.4.0 mishandles jQuery.extendtrue, , ... because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype...
Multiple Vulnerabilities in TYPO3 CMS
It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Information Disclosure, Mass Assignment, Open Redirection and Insecure Unserialize. Component Type: TYPO3 CMS Vulnerability Types: Cross-Site Scripting, Information Disclosure, Mass Assignment, Open Redirection and...
Several vulnerabilities in third party extensions
Several vulnerabilities have been found in the following third-party TYPO3 extensions: cwtfeedit, euldap, flatmgr, jhopengraphprotocol, kedompdf, lumophpinclude, newspack, sbakronymmanager, staddressma, weeaargooglesitemap,. wtdirectory Release Date: September 02, 2014 Bulletin update: September ...
Cross-Site Scripting in Bootstrap CSS toolkit
It has been discovered that the third party library Bootstrap CSS toolkit is vulnerable to cross-site scripting. Details are mentioned in a dedicated vulnerability report at...
Cross-Site Scripting in extension "Kitodo.Presentation" (dlf)
The extension fails to properly encode user input for output in HTML context. In addition, the extension also includes jQuery 3.4.1 which is known to be vulnerable against Cross Site Scripting...
SQL Injection in extension "phpmyadmin" (phpmyadmin)
Multiple vulnerabilities have been found in the phpMyAdmin component...
Multiple vulnerabilities in extension phpMyAdmin (phpmyadmin)
It has been discovered that the extension "phpMyAdmin" phpmyadmin is susceptible to unsafe comparison of XSRF/CSRF token, multiple full path disclosure vulnerabilities, multiple XSS vulnerabilities, insecure password generation in JavaScript. Release Date: March 10, 2016 Component Type: Third par...
Environment Variable Injection in extension "Amazon AWS S3 FAL driver (CDN)" (aus_driver_amazon_s3)
The extension uses an old version of the third party library guzzlehttp/guzzle, which is known to be vulnerable against the HTTPOXY attack. Read or for further details...
Cross-Site Scripting vulnerability in extension phpMyAdmin (phpmyadmin)
It has been discovered that the extension "phpMyAdmin" phpmyadmin is susceptible to Cross-Site Scripting. Release Date: November 5, 2014 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: 4.18.0, 4.18.1, 4.18.2 and 4.18.3...
HTTP Host Header Injection in Request Handling
It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can b...
Multiple vulnerabilities in Content Rating (content_rating)
It has been discovered that the extension "Content Rating" contentrating is susceptible to Cross-Site Scripting and SQL Injection. Release Date: January 9, 2015 Bulletin Update: February 23, 2015 added CVEs Component Type: Third party extension. This extension is not a part of the TYPO3 default...
Cross-Site Scripting Vulnerability in TYPO3 Core
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting. Component Type: TYPO3 Core Affected Versions: 4.4.0 up to 4.4.14, 4.5.0 up to 4.5.14, 4.6.0 up to 4.6.7 and development releases of the 4.7 branch. Vulnerable subcomponent: Exception Handler Vulnerability Type: Cross-Si...
TYPO3 Security Bulletin
It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.8.1 and below Vulnerability Type: Cross-Site Scripting Severit...
Improper Access Control vulnerability in extension fal_sftp (fal_sftp)
It has been discovered that the extension "falsftp" falsftp is susceptible to Improper Access Control. Release Date: October 17, 2014 Bulletin Update: October 18, 2014 added CVE Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Version...
XSS and SQL injection vulnerabilities in extension "phpMyAdmin" (phpmyadmin)
It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to XSS and SQL injections. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.3.0 and all versions below Vulnerability Type: Cross-Site...
Insecure Unserialize in extension News (tt_news)
It has been discovered that the extension "News" ttnews is susceptible to Insecure Unserialize. Release Date: February 12, 2014 Bulletin update: September 18, 2014 added CVE Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions:...
Cross-Site Scripting in Link Handling
It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly...
TYPO3 Security Bulletin
It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Broken Access Control. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.1.0 till 4.8.0 including Vulnerability Type: Broken Access...
Cross-Site Scripting in gridelements
It has been discovered that the extension "Grid Elements" gridelements is susceptible to Cross-Site Scripting Release Date: May 27, 2014 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: 2.0.2 and below, 1.5.0 and below...
Multiple vulnerabilities in third party extensions
Several vulnerabilities have been found in the following third party TYPO3 extensions: "AIRware Lexicon" airlexicon, "AST ZipCodeSearch" astaddresszipsearch, "Car" car, "Event Registration" eventregistr, "Solidbase Bannermanagement" SBbanner, "t3maffiliate" t3maffiliate, "AJAX Chat" vjchat Releas...