Lucene search
K
Typo3Most viewed

473 matches found

Typo3
Typo3
added 2009/08/18 12:0 a.m.87 views

Multiple vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third party TYPO3 extensions: "AIRware Lexicon" airlexicon, "AST ZipCodeSearch" astaddresszipsearch, "Car" car, "Event Registration" eventregistr, "Solidbase Bannermanagement" SBbanner, "t3maffiliate" t3maffiliate, "AJAX Chat" vjchat Releas...

7.8AI score
Exploits0Affected Software7
Typo3
Typo3
added 2019/05/07 12:0 a.m.85 views

Cross-Site Scripting in Bootstrap CSS toolkit before 3.4.1 and 4.3.0

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, cross-site scripting is possible in the tooltip or popover data-template attribute...

4.3CVSS1.4AI score0.1686EPSS
Exploits2Affected Software1
Typo3
Typo3
added 2014/02/12 12:0 a.m.84 views

Several vulnerabilities in extension mm_forum (mm_forum)

It has been discovered that the extension "mmforum" mmforum is vulnerable to Arbitrary Code Execution, Cross-Site Scripting and Cross-Site Request Forgery Release Date: February 12, 2014 Bulletin update: September 18, 2014 added CVEs Component Type: Third party extension. This extension is not a...

7.5CVSS6.7AI score0.02326EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2013/09/25 12:0 a.m.84 views

Several vulnerabilities in extension AWStats (cc_awstats)

It has been discovered that the extension "AWStats" ccawstats contains an unspecific vulnerability in the bundled AWStats version. Release Date: September 25, 2013 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version...

4.3CVSS6.1AI score0.05796EPSS
Exploits1Affected Software1
Typo3
Typo3
added 2012/07/04 12:0 a.m.82 views

Cross-Site Scripting Vulnerability in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting. Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.16, 4.6.0 up to 4.6.9, 4.7.0 up to 4.7.1 and development releases of the 6.0 branch. Bulletin history: July 4, 2012 - corrected Secunia Advisory ID Vulnerabl...

4.3CVSS0.4AI score0.09088EPSS
Exploits10Affected Software1
Typo3
Typo3
added 2018/12/11 12:0 a.m.79 views

Cross-Site Scripting in CKEditor

It has been discovered, that the third party library CKEditor is vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability...

4.3CVSS2AI score0.01954EPSS
Exploits1Affected Software1
Typo3
Typo3
added 2021/03/16 12:0 a.m.78 views

Denial of Service in Page Error Handling

Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack...

5CVSS2.1AI score0.01731EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2018/08/09 12:0 a.m.77 views

Environment Variable Injection in extension "AWS SDK for PHP" (aws_sdk_php)

The extension uses an old version of the third party library guzzlehttp/guzzle, which is known to be vulnerable against the HTTPOXY attack. Read or for further details...

5.1CVSS3AI score0.50427EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2008/05/15 12:0 a.m.75 views

Multiple vulnerabilities in extension Frontend User Registration (sr_feuser_register)

It has been discovered that the extension Frontend User Registration srfeuserregister is susceptible to Cross Site Scripting XSS attacks and allows Remote Command Execution. Component Type: Third party extensions. These extensions are not part of the TYPO3 default installation. Affected Versions:...

7.3AI score
Exploits0Affected Software1
Typo3
Typo3
added 2019/06/25 12:0 a.m.72 views

Multiple vulnerabilities in extension "phpMyAdmin" (phpmyadmin)

Multiple vulnerabilities have been found in the phpMyAdmin component...

7.5CVSS1.7AI score0.19184EPSS
Exploits4Affected Software1
Typo3
Typo3
added 2019/05/08 12:0 a.m.69 views

By-passing protection of Phar Stream Wrapper Interceptor

Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In July 2018, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the TYPO3 core. For more details...

7.5CVSS6AI score0.05586EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2018/08/09 12:0 a.m.68 views

Environment Variable Injection in extension "Amazon Web Services SDK " (aws_sdk)

The extension uses an old version of the third party library guzzlehttp/guzzle, which is known to be vulnerable against the HTTPOXY attack. Read or for further details...

5.1CVSS3AI score0.50427EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2021/04/27 12:0 a.m.67 views

SQL Injection in extension "Dynamic Content Element" (dce)

The extension fails to properly sanitize user input and is susceptible to SQL Injection. A TYPO3 backend user account is required to exploit the vulnerability...

4CVSS2.8AI score0.01406EPSS
Exploits3Affected Software1
Typo3
Typo3
added 2020/11/17 12:0 a.m.66 views

Multiple vulnerabilities in extension "phpMyAdmin" (phpmyadmin)

Multiple vulnerabilities have been found in the phpMyAdmin component...

7.5CVSS1.7AI score0.67081EPSS
Exploits1Affected Software1
Typo3
Typo3
added 2011/08/25 12:0 a.m.64 views

Several Vulnerabilities in extension Formhandler (formhandler)

It has been discovered that the extension Formhandler formhandler is vulnerable to SQL-Injection and Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 0.9.14 and below Vulnerability Types: SQL...

6.9AI score
Exploits0Affected Software1
Typo3
Typo3
added 2020/07/28 12:0 a.m.63 views

Potential Privilege Escalation

In case an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the...

6.8CVSS3.1AI score0.01782EPSS
Exploits1Affected Software1
Typo3
Typo3
added 2022/02/15 12:0 a.m.62 views

Cross-Site Scripting in extension "Bookdatabase" (extbookdatabase)

The extension bundles a vulnerable version of the 3rd party JavaScript component “Datatables” which was known to be vulnerable against Cross-Site Scripting...

4.3CVSS3.2AI score0.01837EPSS
Exploits1Affected Software1
Typo3
Typo3
added 2021/03/16 12:0 a.m.62 views

Cross-Site Scripting in extension "Aimeos shop and e-commerce framework" (aimeos)

The extension fails to properly encode user input for output in HTML context. A valid backend user account with access to the Aimeos module is needed to exploit this vulnerability...

3.5CVSS5.7AI score0.00501EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2011/12/16 12:0 a.m.62 views

Remote Code Execution in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Remote Code Execution. Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 + development releases of 4.7 branch Vulnerability Types: Remote Code Execution Overall Severity: Critical Release Date: December 16, 201...

7.7AI score
Exploits0Affected Software1
Typo3
Typo3
added 2014/12/15 12:0 a.m.60 views

Multiple vulnerabilities in BibTex Publications (si_bibtex)

It has been discovered that the extension "BibTex Publications" sibibtex is susceptible to Cross-Site Scripting and SQL Injection. Release Date: December 15, 2014 Bulletin Update: January 9, 2015 added CVEs Component Type: Third party extension. This extension is not a part of the TYPO3 default...

7.5CVSS6.2AI score0.0126EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2022/02/15 12:0 a.m.59 views

Insecure direct object reference in extension "Varnishcache" (varnishcache)

The Edge Site Includes ESI content element renderer component of the extension does not include an access check. This allows an unauthenticated user to render various content elements, resulting in insecure direct object reference IDOR with the potential of exposing internal content elements...

5CVSS5.7AI score0.00758EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2021/03/16 12:0 a.m.60 views

Broken Access Control in Form Framework

Due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework...

6.5CVSS4.7AI score0.01606EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2020/03/10 12:0 a.m.58 views

Multiple vulnerabilities in extension "Magalone Flipbook for TYPO3" (magaloneflipbook)

An authenticated backend user can use the backend module to upload arbitrary files resulting in Remote Code Execution. Also, the backend module is susceptible to path traversal which allows an authenticated backend user to upload and overwrite files in all locations the webserver has access to...

7.5AI score
Exploits0Affected Software1
Typo3
Typo3
added 2019/06/25 12:0 a.m.58 views

Cross-Site Scripting in Link Handling

It has been discovered that the t3:// URL handling is vulnerable to cross-site scripting when making use of javascript: or data: scheme in link fields like the following...

4.3CVSS6.2AI score0.00685EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2009/04/06 12:0 a.m.58 views

Multiple vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third party TYPO3 extensions: "A21glossary Advanced Output" a21glossaryadvancedoutput, "ClickStream Analyzer output" alternetcsaout, "Directory Listing" dirlisting, "Store Locator" locator, "Userdata Create/Edit" sguserdata, "Versatile...

7.2AI score
Exploits0Affected Software8
Typo3
Typo3
added 2022/02/22 12:0 a.m.55 views

Sanitization bypass in SVG Sanitizer

The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+xml were not affected...

4.3CVSS1AI score0.00682EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2020/05/12 12:0 a.m.54 views

SQL Injection in extension "phpMyAdmin" (phpmyadmin)

Multiple vulnerabilities have been found in the phpMyAdmin component...

6CVSS2AI score0.02694EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2012/11/08 12:0 a.m.54 views

Several Vulnerabilities in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to SQL Injection, Information Disclosure and Cross-Site Scripting Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.20, 4.6.0 up to 4.6.13, 4.7.0 up to 4.7.5 and development releases of the 6.0 branch. Vulnerability Types: SQL...

6.5CVSS0.7AI score0.02169EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2021/03/16 12:0 a.m.53 views

Open Redirection in Login Handling

It has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability...

5.8CVSS3.9AI score0.01104EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2006/10/10 12:0 a.m.53 views

Cross-Site Scripting in fe_adminLib.inc

A problem has been discovered with feadminLib.inc bein vulnerable for Cross-Site Scripting XSS Component Type: TYPO3 Core Affected Versions: TYPO3 4.0.3 IMPORTANT: customized version still need manual correction Vulnerability Type: cross Site Scripting XSS Severity: minor Problem Description: The...

5.9AI score
Exploits0Affected Software1
Typo3
Typo3
added 2014/10/17 12:0 a.m.50 views

Denial of Service vulnerability in extension Calendar Base (cal)

It has been discovered that the extension "Calendar Base" cal is susceptible to Denial of Service. Release Date: October 17, 2014 Bulletin Update: October 18, 2014 added CVE Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: a...

7.8CVSS6.3AI score0.01819EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2021/08/10 12:0 a.m.49 views

Multiple vulnerabilities in Extension "Dated News" (dated_news)

The extension fails to properly encode user input for output in HTML context CVE-2021-36790 and contains a blind SQL injection vulnerability CVE-2021-36789. It is also possible to confirm various applications CVE-2021-36792 and thereby obtain all application registration data CVE-2021-36791...

7.5CVSS7.1AI score0.00996EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2021/03/16 12:0 a.m.49 views

Cleartext storage of session identifier

User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system...

5CVSS3AI score0.00918EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2019/06/25 12:0 a.m.49 views

Possible deserialization side-effects in symfony/cache

Third party component symfony/cache could have been potentially leading to removal of arbitrary files in combination with other insecure deserialization vulnerabilities...

6.5CVSS3.5AI score0.02302EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2014/05/22 12:0 a.m.49 views

Arbitrary code execution in extension "powermail" (powermail)

It has been discovered that the extension "powermail" powermail is susceptible to arbitrary code execution and Cross-Site Scripting Release Date: May 22, 2014 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: powermail:...

7.5CVSS7AI score0.02326EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2008/05/13 12:0 a.m.49 views

Multiple vulnerabilities in extension WT Gallery (wt_gallery)

It has been discovered that the extension wtgallery is susceptible to Path Traversal and Cross Site Scripting XSS attacks. Besides that, it may disclose sensitive information. Component Type: Third party extension. This extension is not part of the TYPO3 default installation. Affected Versions:...

6.2AI score
Exploits0Affected Software1
Typo3
Typo3
added 2021/04/27 12:0 a.m.48 views

Cross-Site Scripting in extension "Bootstrap Package" (bootstrap_package)

The extension fails to properly encode user input for output in HTML context. The following templates are affected by the vulnerability:...

3.5CVSS1.1AI score0.00941EPSS
Exploits1Affected Software1
Typo3
Typo3
added 2019/05/08 12:0 a.m.48 views

By-passing protection of Phar Stream Wrapper Interceptor

Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In July 2018, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the TYPO3 core. For more details...

7.5CVSS8.7AI score0.02675EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2021/08/10 12:0 a.m.47 views

Cross Site Scripting in Extension "Yoast SEO for TYPO3" (yoast_seo)

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability...

3.5CVSS0.9AI score0.00471EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2020/11/17 12:0 a.m.47 views

Cleartext storage of session identifier

User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system...

5CVSS3AI score0.00666EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2013/02/19 12:0 a.m.47 views

SQL Injection vulnerability in extension CoolURI (cooluri)

It has been discovered that the extension "CoolURI" cooluri is vulnerable to SQL Injection. Release Date: February 19, 2012 Bulletin Update: November 06, 2014 added CVE Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Versio...

7.5CVSS6.9AI score0.01352EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2021/03/16 12:0 a.m.46 views

Cross-Site Scripting in Content Preview

It has been discovered that database fields used as descriptionColumn are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability...

3.5CVSS1.9AI score0.00872EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2020/11/17 12:0 a.m.46 views

Cross-Site Scripting through Fluid view helper arguments

Three XSS vulnerabilities have been detected in Fluid:...

4.3CVSS1.1AI score0.01026EPSS
Exploits1Affected Software1
Typo3
Typo3
added 2021/04/27 12:0 a.m.45 views

Server-side request forgery in extension "Yoast SEO for TYPO3" (yoast_seo)

The extension fails to restrict analyzed URLs to domains managed by the current TYPO3 website. A logged in TYPO3 backend user can use the vulnerability to make HTTP requests to arbitrary domains including the webserver itself or other internally managed resources...

5.5CVSS0.9AI score0.00474EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2015/01/08 12:0 a.m.45 views

Improper Authentication in LDAP / SSO Authentication (ig_ldap_sso_auth)

It has been discovered that the extension "LDAP / SSO Authentication" igldapssoauth is susceptible to Improper Authentication. Release Date: January 8, 2015 Bulletin Update: January 8, 2015 Affected Versions, Severity; February 23, 2015 added CVE Component Type: Third party extension. This...

8.8AI score0.02935EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2020/11/17 12:0 a.m.44 views

Cross-Site Scripting in Fluid view helpers

It has been discovered that system extension Fluid typo3/cms-fluid of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers...

4.3CVSS2.1AI score0.00715EPSS
Exploits1Affected Software1
Typo3
Typo3
added 2021/03/16 12:0 a.m.43 views

Denial of Service in extension "Code Highlight" (codehighlight)

The extension bundles a vulnerable version of the 3rd party JavaScript component “prism” which is known to be vulnerable against Regular expression Denial of Service ReDoS...

6.8AI score
Exploits0Affected Software1
Typo3
Typo3
added 2011/03/15 12:0 a.m.43 views

XSS and SQL Injection vulnerabilities in extension "Direct Mail" (direct_mail)

TYPO3-SA-2011-002 Release Date: March 15, 2011 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 2.6.9 and all versions below Vulnerability Type: Cross-Site Scripting XSS, SQL Injection Severity: Low Suggested CVSS...

6.9AI score
Exploits0Affected Software1
Typo3
Typo3
added 2010/09/02 12:0 a.m.43 views

Multiple vulnerabilities in third-party extensions

Several vulnerabilities have been found in the following third party TYPO3 extensions: Commenting system Backend Module commentsbe, Tiny Market hmtinymarket, Yet Another Calendar keyac, The official twitter tweet button for your page tweetbutton, XING Button xing Release Date: September 2, 2010...

7.5AI score
Exploits0Affected Software5
Typo3
Typo3
added 2005/03/07 12:0 a.m.43 views

TYPO3 Security Bulletin

Unless the default encryption key settings have been changed by the administrator, the TYPO3 mailform can be compromised to send mail to a wrong receipient. Thus, spam mails may be sent from a remote site. Component Type: Core Affected Component: mailforms Version: 3.7.0 and earlier Vulnerability...

6.8AI score
Exploits0Affected Software1
Total number of security vulnerabilities473