Lucene search
K
Typo3Most viewed

473 matches found

Typo3
Typo3
added 2021/07/20 12:0 a.m.25 views

Information Disclosure in User Authentication

It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the default configuration...

3.5CVSS2AI score0.00829EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2020/05/12 12:0 a.m.25 views

Cross-Site Scripting in Form Engine

It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability...

3.5CVSS1AI score0.0054EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2016/04/12 12:0 a.m.25 views

Privilege Escalation in TYPO3 CMS

It has been discovered, that TYPO3 CMS is vulnerable to Privilege Escalation. Component Type: TYPO3 CMS Release Date: April 12, 2016 Vulnerable subcomponent: Version Vulnerability Type: Privilege Escalation Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0 Severity: Medium...

6.9AI score
Exploits0Affected Software1
Typo3
Typo3
added 2015/07/01 12:0 a.m.25 views

Brute Force Protection Bypass in backend login

It has been discovered, that the backend login brute force protection can be bypassed Component Type: TYPO3 CMS Release Date: July 1, 2015 Vulnerable subcomponent: Backend Vulnerability Type: Brute Force Protection Bypass Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0 Severity: Low...

6.9AI score
Exploits0Affected Software1
Typo3
Typo3
added 2010/07/28 12:0 a.m.25 views

Vulnerabilitiy in extension Front End User Registration (sr_feuser_register)

It has been discovered that the extension Frontend User Registration srfeuserregister is susceptible to Security Misconfiguration. Component Type: Third party extension. This extensions is not part of the TYPO3 default installation. Affected Versions: Version 2.5.25. Vulnerability Type: Security...

6.9AI score
Exploits0Affected Software1
Typo3
Typo3
added 2008/05/15 12:0 a.m.25 views

Multiple vulnerabilities in extension Frontend Filemanager (air_filemanager)

It has been discovered that the extension Frontend Filemanager airfilemanager is susceptible to Cross Site Scripting XSS attacks and allows Remote Code Execution. Component Type: Third party extensions. These extensions are not part of the TYPO3 default installation. Affected Versions: Version...

7.4AI score
Exploits0Affected Software1
Typo3
Typo3
added 2021/07/20 12:0 a.m.24 views

Cross-Site Scripting in Page Preview

Failing to properly encode Page TSconfig settings, the corresponding page preview module WebView is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability...

3.5CVSS2.7AI score0.00603EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2020/05/12 12:0 a.m.24 views

Information Disclosure in Password Reset

It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email address exists or not...

4.3CVSS4AI score0.01188EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2015/12/15 12:0 a.m.24 views

Cross-Site Scripting in TYPO3 component Extension Manager

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: December 15, 2015 Vulnerable subcomponent: Extension Manager Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0 Severity: Low Suggest...

6.9AI score
Exploits0Affected Software1
Typo3
Typo3
added 2015/06/15 12:0 a.m.24 views

Arbitrary Code Execution in extension Job Fair (jobfair)

It has been discovered that the extension "Job Fair" jobfair is susceptible to Arbitrary Code Execution Release Date: June 15, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.0.0 and below Vulnerability Type:...

7.5AI score
Exploits0Affected Software1
Typo3
Typo3
added 2013/09/25 12:0 a.m.24 views

Information Disclosure in extension Direct Mail (direct_mail)

It has been discovered that the extension "Direct Mail" direct mail is susceptible to Information Disclosure Release Date: September 25, 2013 Bulletin update: September 18, 2014 added CVE Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affect...

7.4AI score0.01663EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2012/03/28 12:0 a.m.24 views

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: fewhois, cagtables, additionalreports, generaldatadisplay, realty, dkdfeuserbelogin, tcfbconnect, dixeasylogin, ajadofacebook, facebook2t3, sociallogin2t3, kbeventboard, news Release Date: March 28, 2012 Please...

7.9AI score
Exploits0Affected Software13
Typo3
Typo3
added 2009/06/16 12:0 a.m.24 views

TYPO3 Security Bulletin

It has been discovered that the extension CWT Community cwtcommunity is vulnerable to SQL-injections. Release Date: June 16 2009 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.0.3 and all versions below...

7.3AI score
Exploits0Affected Software1
Typo3
Typo3
added 2007/07/03 12:0 a.m.24 views

Multiple vulnerabilities in all variants of MySQLDumper

Multiple vulnerabilities have been found in the third party extension "mysqldumper". Full read/write access to the connected database and other related issues. Component Type: Third party extension. This extension is not part of the TYPO3 default installation Affected Versions: a TYPO3 extension...

7.4AI score
Exploits0Affected Software1
Typo3
Typo3
added 2021/11/10 12:0 a.m.23 views

Cross-Site Scripting in extension "Google for Jobs" (google_for_jobs)

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability...

3.5CVSS5.5AI score0.00493EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2020/07/07 12:0 a.m.23 views

Multiple vulnerabilities in extension "mm_forum" (mm_forum)

The extension fails to properly encode user input for output in HTML context. Also the extension fails to implement a CSRF protection for update profile plugin...

5.8CVSS5.6AI score0.00367EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2019/10/15 12:0 a.m.23 views

Multiple vulnerabilities in extension "SLUB: Event Registration" (slub_events)

The extension allows to upload arbitrary files to the webserver. For versions 1.2.2 and below, this vulnerability results in Remote Code Execution. In versions later than 1.2.2, the vulnerability can result in Denial of Service, since the webspace can be filled up with arbitrary files. The...

7.5CVSS9.3AI score0.02528EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2018/07/12 12:0 a.m.23 views

Insecure Deserialization in TYPO3 CMS

It has been discovered that the Form Framework system extension "form" is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting...

7AI score
Exploits0Affected Software1
Typo3
Typo3
added 2016/03/03 12:0 a.m.23 views

Cross-Site Scripting in extension "Extension Kickstarter" (kickstarter)

It has been discovered that the extension "Extension Kickstarter" kickstarter is susceptible to Cross-Site Scripting. Release Date: March 03, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 0.5.3 and below...

6.5AI score
Exploits0Affected Software1
Typo3
Typo3
added 2016/02/23 12:0 a.m.23 views

Cross-Site Scripting in TYPO3 component CSS styled content

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: CSS styled content Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3 Severity: Medium...

6.9AI score
Exploits0Affected Software1
Typo3
Typo3
added 2016/02/16 12:0 a.m.23 views

SQL Injection in dbal

It has been discovered, that TYPO3 is susceptible to SQL Injection Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: Dbal Vulnerability Type: SQL Injection Affected Versions: Versions 6.2.0 to 6.2.17 Severity: High Suggested CVSS v2.0:...

8.1AI score
Exploits0Affected Software1
Typo3
Typo3
added 2012/08/08 12:0 a.m.23 views

Cross-site scripting vulnerability in extension powermail for TYPO3 (powermail)

It has been discovered that the extension "powermail" powermail is vulnerable to Cross-Site Scripting, SQL Injection and Arbitrary Code Execution. Release Date: August 8, 2012 Bulletin update: August 9, 2012 added update help for extension manager, added further download link Component Type: Thir...

7.7AI score
Exploits0Affected Software1
Typo3
Typo3
added 2011/10/20 12:0 a.m.23 views

Remote Command Execution and Remote File Disclosure vulnerability in extension pdf_generator2

It has been discovered that the extension pdfgenerator2 is vulnerable to Remote Code Execution and Remote File Disclosure Release Date: Oktober 20, 2011 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 0.21.0 and all...

7.4AI score
Exploits0Affected Software1
Typo3
Typo3
added 2010/02/23 12:0 a.m.23 views

Vulnerabilities in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Authentication Bypass for frontend users and Information Disclosure. Component Type: TYPO3 Core Affected Versions: 4.2.11 and below, 4.3.1 and below Vulnerability Types: Authentication Bypass, Cross-Site Scripting XSS,...

6.4AI score
Exploits0Affected Software1
Typo3
Typo3
added 2009/08/18 12:0 a.m.23 views

Cross-Site Scripting vulnerability in extension Commerce (commerce)

It has been discovered that the extension Commerce commerce is vulnerable to Cross-Site Scripting attacks. Release Date: August 18, 2009 Component Type: Third party extension. This extension is not part of the TYPO3 default installation. Affected Versions: Version 0.9.8 and below. Vulnerability...

6.2AI score
Exploits0Affected Software1
Typo3
Typo3
added 2008/09/24 12:0 a.m.23 views

TYPO3 Security Bulletin

It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 3.3.0 and all versions below Vulnerability Type: Cross-Site...

6.6AI score
Exploits0Affected Software1
Typo3
Typo3
added 2007/01/29 12:0 a.m.23 views

Multiple vulnerabilities in extension mm_forum

It has been discovered that the extension mmforum is vulnerable to multiple SQL Injection attacks and multiple XSS flaws alongside other vulnerabilities. Component Type: Third party extension. This extension is not part of the TYPO3 default installation. Affected Versions: Version 0.1.2 and all...

7.1AI score
Exploits0Affected Software1
Typo3
Typo3
added 2020/09/02 12:0 a.m.22 views

Multiple vulnerabilities in extension "Event management and registration" (sf_event_mgt)

A missing access check in the backend module allows an authenticated backend user to export participant data for events which the user does not have access to, resulting in Information Disclosure...

4CVSS3.9AI score0.0077EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2020/09/02 12:0 a.m.22 views

Information Disclosure in extension "Localization Manager" (l10nmgr)

A missing access check allows an authenticated backend user to view and export data of translatable fields which are outside of the users access scope resulting in Information Disclosure...

4CVSS4.5AI score0.00824EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2019/01/22 12:0 a.m.22 views

Cross-Site Scripting in Flash component (ELTS)

It has been discovered, that the third party component websvg is vulnerable to cross-site scripting. A browser with Flash plugin installed is needed in order to exploit this vulnerability...

4.3CVSS5.9AI score0.05214EPSS
Exploits1Affected Software1
Typo3
Typo3
added 2016/03/03 12:0 a.m.22 views

Cross-Site Scripting in extension "List frontend users" (listfeusers)

It has been discovered that the extension "List frontend users" listfeusers is susceptible to Cross-Site Scripting. Release Date: March 03, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 0.9.9 and below...

6.6AI score
Exploits0Affected Software1
Typo3
Typo3
added 2016/02/23 12:0 a.m.22 views

Denial of Service attack possibility in TYPO3 component Indexed Search

It has been discovered, that TYPO3 is susceptible to a Denial of Service attack. Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: Indexed Search Vulnerability Type: Denial of Service attack Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3 Severity:...

7AI score
Exploits0Affected Software1
Typo3
Typo3
added 2016/02/23 12:0 a.m.22 views

XML External Entity (XXE) Processing in TYPO3 Core

It has been discovered, that TYPO3 is susceptible to XML External Entity Processing Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: TYPO3 CMS Vulnerability Type: XML External Entity Processing Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3...

7AI score
Exploits0Affected Software1
Typo3
Typo3
added 2010/09/22 12:0 a.m.22 views

TYPO3 Security Bulletin

It has been discovered that the extension powermail powermail is vulnerable to Cross-Site Scripting, SQL Injection and Validation Bypass Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.5.3 and below Vulnerability...

7.1AI score
Exploits0Affected Software1
Typo3
Typo3
added 2009/10/22 12:0 a.m.22 views

Multiple vulnerabilities in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, SQL-Injection, Remote Command Execution, Information Disclosure and insecure Install Tool authentication/session handling. Component Type: TYPO3 Core Affected Versions: TYPO3 versions 4.0.13 and below, 4.1.12 and below,...

8AI score
Exploits0Affected Software1
Typo3
Typo3
added 2008/10/20 12:0 a.m.22 views

SQL Injection in extension Commerce (commerce)

It has been discovered that the extension Commerce commerce is vulnerable to SQL Injection attacks. Component Type: Third party extension. This extension is not part of the TYPO3 default installation. Affected Versions: Version 0.9.6 and below. Vulnerability Type: SQL Injection Severity: HIGH...

7.6AI score
Exploits0Affected Software1
Typo3
Typo3
added 2008/06/19 12:0 a.m.22 views

TYPO3 Security Bulletin

Several vulnerabilities have been found in TYPO3 third party extensions. Please read first: This Collective Security Bulletin CSB is a listing of vulnerable extensions with neither significant download numbers nor other special importance amongst the TYPO3 Community. The intention of CSBs is to...

7.8AI score
Exploits0Affected Software12
Typo3
Typo3
added 2007/02/21 12:0 a.m.22 views

Email header injection

A problem has been discovered where the internal form engine can be used for sending arbitrary mail headers, using it for purposes which it is not meant for. Component Type: TYPO3 Core Affected Versions: TYPO3 4.x below 4.0.5, 4.1beta, 4.1RC1, TYPO3 Versions 3.x Vulnerability Type: Email header...

7AI score
Exploits0Affected Software1
Typo3
Typo3
added 2007/01/24 12:0 a.m.22 views

Tip-a-friend - Header Injection

A header injection problem has been found in the extension tipafriend Component Type: Third party extension. The extension is not part of the TYPO3 default installation Affected Versions: 1.2.2 and earlier Vulnerability Type: Header Injection Severity: HIGH Problem Description: A problem has been...

7.3AI score
Exploits0Affected Software1
Typo3
Typo3
added 2020/05/12 12:0 a.m.21 views

Cross-Site Scripting in "SVG Sanitizer" (svg_sanitizer)

Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it is still evaluated in browsers can lead to Cross-Site Scripting...

3.5CVSS1.5AI score0.0054EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2019/12/17 12:0 a.m.21 views

Multiple vulnerabilities in extension "MKSamlAuth" (mksamlauth)

The extension fails to validate the response from the Identity Provider which allows an attacker to create various frontend users on affected TYPO3 websites...

6.8AI score
Exploits0Affected Software1
Typo3
Typo3
added 2019/12/17 12:0 a.m.21 views

SQL Injection in low-level Query Generator

Failing to properly escape user submitted content, class QueryGenerator is vulnerable to SQL injection...

6.5CVSS7.7AI score0.00868EPSS
Exploits0Affected Software1
Typo3
Typo3
added 2019/05/07 12:0 a.m.21 views

Open Redirect in extension "Hairu" (hairu)

The extension fails to validate user input for the parameter “redirecturl”, which allows a redirect to an arbitrary URL after a successful user login...

7AI score
Exploits0Affected Software1
Typo3
Typo3
added 2019/05/07 12:0 a.m.21 views

Security Misconfiguration since TYPO3 9.4.0

Salted Passwords was bundled in TYPO3 as ext:saltedpasswords and got merged with the core component ext:core with TYPO3 v9.4.0 see documentation of issue 85833...

6.9AI score
Exploits0Affected Software1
Typo3
Typo3
added 2015/12/15 12:0 a.m.21 views

Cross-Site Scripting vulnerability in typolinks

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: December 15, 2015 Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0 Severity: Low Suggested CVSS v2.0:...

6.5AI score
Exploits0Affected Software1
Typo3
Typo3
added 2015/09/30 12:0 a.m.21 views

Information Disclosure in extension "Adminer" (t3adminer)

It has been discovered that the extension "Adminer" t3adminer is susceptible to Information Disclosure. Release Date: September 30, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 7.0.1 and below Vulnerability...

6.9AI score
Exploits0Affected Software1
Typo3
Typo3
added 2011/06/14 12:0 a.m.21 views

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: Photogallery cegallery, SEO Photogallery by Evorion evgallery Release Date: June 14, 2011 Please read first: This Collective Security Bulletin CSB is a listing of vulnerable extensions with neither significant...

7.5AI score
Exploits0Affected Software2
Typo3
Typo3
added 2008/11/10 12:0 a.m.21 views

TYPO3 Security Bulletin

It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.1.0 and all versions below Vulnerability Type: Cross-Site...

6.8AI score
Exploits0Affected Software1
Typo3
Typo3
added 2008/07/01 12:0 a.m.21 views

Multiple vulnerabilities in extension Send-A-Card (sr_sendcard)

It has been discovered that the extension Send-A-Card srsendcard is open to multiple security issues. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 2.2.2 and all versions below Vulnerability Type: Insufficient...

6.6AI score
Exploits0Affected Software1
Typo3
Typo3
added 2006/12/05 12:0 a.m.21 views

thumbs.php

A problem has been discovered with thumbs.php providing access to unwanted files Component Type: TYPO3 Core Affected Versions: ALL Vulnerability Type: Image Access Severity: minor Problem Description: TYPO3 uses a script t3lib/thumbs.php to display thumbnails of images and/or PDF documents. It ha...

6.7AI score
Exploits0Affected Software1
Total number of security vulnerabilities473