473 matches found
Cross-Site Scripting in extension "Frontend Treeview" (mh_treeview)
The extension fails to properly encode user input for output in HTML context...
Multiple vulnerabilities in extension "Fe user statistic" (festat)
It has been discovered that the extension "Fe user statistic" festat is susceptible to Cross-Site Scripting, Insecure Unserialize and Information Disclosure. Release Date: March 03, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affecte...
Cross-Site Scripting in legacy form component
It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: legacy form component Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.17 Severity: Low Suggested CVSS v2.0...
SQL Injection in extension "Akronymmanager" (sb_akronymmanager)
It has been discovered that the extension "Akronymmanager" sbakronymmanager is susceptible to SQL Injection Release Date: June 18, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 0.5.0 and below Vulnerability...
Multiple vulnerabilities in Drag Drop Mass Upload (ameos_dragndropupload)
It has been discovered that the extension "Drag Drop Mass Upload" ameosdragndropupload is susceptible to Cross-Site Scripting, Cross-Site Request Forgery and Improper Access Control. Release Date: December 15, 2014 Component Type: Third party extension. This extension is not a part of the TYPO3...
Several vulnerabilities in extension Formhandler (formhandler)
It has been discovered that the extension "Formhandler" Formhandler is vulnerable to SQL-Injection, Arbitrary Code Execution and Authentication Bypass. Release Date: August 05, 2013 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected...
Several Vulnerabilities in extension Formhandler (formhandler)
It has been discovered that the extension Formhandler formhandler is vulnerable to SQL-Injection and Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.4.0 and below Vulnerability Types: SQL...
Cross-site scripting vulnerability in extension Seminars (seminars)
It has been discovered that the extension "Seminars" seminars is vulnerable to cross-site scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 0.9.3 and below Vulnerability Type: Cross-site scripting Severity:...
Cross-Site scripting vulnerability in extension t3blog (t3blog)
It has been discovered that the extension "T3Blog" t3blog is vulnerable to Cross-Site Scripting. Release Date: September 27, 2011 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.1.1 and all versions below...
Several Vulnerabilities in extension Direct Mail Subscription (direct_mail_subscription)
Several vulnerabilities have been found in the following third-party TYPO3 extension: directmailsubscription Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.1.0 and below Vulnerability Types: SQL Injection,...
Cross Site Scripting Vulnerability in extension Questionaire (pbsurvey)
It has been discovered that the extension "Questionaire" pbsurvey is vulnerable to Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.3.0 and below Vulnerability Types: Cross-Site Scripting...
Cross-Site Scripting vulnerability in extension mm_forum (mm_forum)
It has been discovered that the extension mmforum mmforum is vulnerable to Cross-Site Scripting. Release Date: March 16, 2010 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.8.2 and all versions below Vulnerabilit...
Multiple vulnerabilities in third party extensions
Several vulnerabilities have been found in the following third party TYPO3 extensions: AN Search it! ansearchit, Simple download-system with counter and categories kkdownloader, Automatic Base Tags for RealUrl ltbasetag, Trips mchtrips, simple Glossar simpleglossar, TW Productfinder...
Information Disclosure in third party extension "Frontend User registration"
It has been discovered that the TYPO3 extension "Frontend User Registration" srfeuserregister is susceptible to Information Disclosure. Release Date: April 6, 2009 Component Type: Third party extension. This extension is not a part of a TYPO3 default installation. Affected Versions: 2.5.20 and al...
TYPO3 Security Bulletin
Several vulnerabilities have been found in the following third party TYPO3 extensions: "Vox populi" mvvoxpopuli, "SB Universal Plugin" SBuniplug, "Simple File Browser" simplefilebrowser, "TU-Clausthal ODIN" tucodin, "TU-Clausthal Staff" tucstaff, "WEBERkommunal Facilities" wesfacilities Please re...
TYPO3 Security Bulletin
Several vulnerabilities have been found in the following third party TYPO3 extensions: JobControl dmmjobcontrol, Econda Plugin econda, Frontend Users View feusersview, Mannschaftsliste kiddogplayerlist, M1 Intern m1intern, Simple survey simplesurvey, Page Improvements smpageimprovements Please re...
TYPO3 Security Bulletin
Several vulnerabilities have been found in TYPO3 third party extensions. Please read first: This Collective Security Bulletin CSB is a listing of vulnerable extensions with neither significant download numbers, nor other special importance amongst the TYPO3 Community. The intention of CSBs is to...
Information disclosure in w4x_backup
It has been discovered that the extension w4xbackup has several security related issues, which may disclosure confidential information. Component Type: Third party extension. This extension is not part of the TYPO3 default installation Affected Versions: Version 0.9.1 and all versions below...
SQL injection in macina_banners / ric_rotation
It has been discovered that the extensions macinabanners and its descendant ricrotation are exposed to an SQL injection issue because they fail to properly sanitize user-supplied input. Component Type: Third party extensions. These extensions are not part of the TYPO3 default installation Affecte...
Remote Command Execution
A critical problem has been discovered in plugin class.txrtehtmlareapi1.php that is used for spell-checking in the rtehtmlarea extension. Component Type: System Extension TYPO3 Versions 4.0-4.0.3, 4.1beta Third Party Extension TYPO3 Versions up to 3.8.1. Since TYPO3 Version 4.0 the extension is...
tip-a-friend
A problem has been discovered with tip-a-friend being vulnerable to Cross-Site-Scripting XSS Component Type: Third Party Extension. The extension is not part of the TYPO3 default installation Affected Components: tipafriend Versions: 1.2.1 and earlier Vulnerability Type: Cross Site Scripting...
TYPO3 Security Bulletin
Two problems path traversal and SQL injection have been discovered in the extension damdownloads Component Type: Third Party Extension. The extension is not part of the TYPO3 default installation Affected Components: damdownloads Versions: 1.0.1 and earlier Vulnerability Type: Path traversal and...
TYPO3 Security Bulletin
A weakness in the display of forum messages of chcforum has been discovered that may be used to execute arbitrary SQL Component Type: Third Party Extension. The extension is not part of the TYPO3 default installation Affected Components: chcforum Versions: 1.4.4 and earlier Vulnerability Type: SQ...
TYPO3 Security Bulletin
Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands. Successful exploitation results in the execution of arbitrary commands with permissions of the web service. This may compromise systems using extensions providing AWStats...
File Content Injection in extension "Hardcoded text to Locallang" (mqk_locallangtools)
The extension fails to verify the filename of saved language files which results in File Content Injection. An authenticated user with editor permissions can use the vulnerability to inject predefined content into any file the webserver has access to resulting in affected files being corrupted...
CSRF in extension "Change password for frontend users" (fe_change_pwd)
The extension fails to implement a CSRF protection for update password action...
CSRF in extension "femanager" (femanager)
The extension fails to implement a CSRF protection for edit and delete actions...
Security Misconfiguration in User Session Handling
When users change their password existing sessions for that particular user account are not revoked. A valid backend or frontend user account is required in order to make use of this vulnerability...
SQL Injection in extension "comsolit Suggest" (comsolit_suggest)
The extension fails to properly sanitize user input and is susceptible to SQL Injection...
Remote Code Execution in extension "ImageOptimizer" (imageoptimizer)
The extension fails to validate arguments passed to a shell command resulting in Remote Code Execution. The issue is only exploitable, if an attacker is able to upload files directly e.g. SFTP or FTP to the filesystem...
Cross Site Scripting in extension "Instagram" (ws_instagram)
The extension fails to properly encode user input for output in HTML context...
Information Disclosure of Installed Extensions
It has been discovered that mechanisms used for configuration of RequireJS package loading are susceptible to information disclosure. This way a potential attack can retrieve additional information about installed system and third party extensions...
Cross-Site Scripting in extension "libconnect" (libconnect)
The extension fails to properly encode user input for output in HTML context...
Cross-Site Scripting in extension "Heise Shariff" (rx_shariff)
The extension fails to properly encode user input for output in HTML context...
Cross-Site Scripting in form component
It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: form component Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.17 Severity: Low Suggested CVSS v2.0:...
Multiple Cross-Site Scripting vulnerabilities in TYPO3 backend
It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: December 15, 2015 Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0 Severity: Low Suggested CVSS...
Unauthenticated Path Disclosure
It has been discovered, that TYPO3 is susceptible to unauthenticated path disclosure. Component Type: TYPO3 CMS Release Date: September 8, 2015 Vulnerable subcomponent: Frontend Vulnerability Type: Information Disclosure Affected Versions: Versions 6.2.0 to 6.2.14, 7.0.0 to 7.3.1 Severity: Low...
Important Security-Bulletin Pre-Announcement
A TYPO3 4.5.40 release containing a security fix will be published the day after tomorrow, Thursday 19th of February at about 10:00 am CET. The TYPO3 security team has identified a critical security issue in the TYPO3 v4 Core. The following branches are affected by the vulnerability: TYPO3 4.3...
Cross-Site Scripting vulnerability in extension Basic SEO Features (seo_basics)
It has been discovered that the extension "Basic SEO Features" seobasics is vulnerable to Cross-Site Scripting Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 0.8.1 and below Vulnerability Type: Cross-Site Scripting...
Multiple XSS vulnerabilities in extension phpMyAdmin (phpmyadmin)
It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.11.4 and below Vulnerability Type: Multiple Cross-Site Scripti...
Directory Traversal and Code Injection vulnerability in extension phpMyAdmin (phpmyadmin)
It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Directory Traversal and Code Injection. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.11.1 and below Vulnerability Type: Directory...
Multiple vulnerabilities in TYPO3 Core
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting XSS, Open Redirection, SQL Injection, Broken Authentication and Session Management, Insecure Randomness, Information Disclosure, Arbitrary Code Execution Component Type: TYPO3 Core Affected Versions: 4.1.13 and below,...
Cross Site Scripting vulnerability in faq
It has been discovered that the extension faq is susceptible to cross site scripting XSS attacks, making it possible to execute arbitrary JavaScript. Component Type: Third party extension. This extension is not part of the TYPO3 default installation Affected Versions: Version 0.0.7 and all versio...
chc_forum
A bug has been discovered in the "CHC Forum" chcforum extension where some Javascript expressions are not properly caught when entered in forms. Thus, specially crafted entries may be used to inject malicious code. Component Type: Third Party Extension. This extension is third party code that has...
TYPO3 Security Bulletin
A debug script exposes system information provided by phpinfo. By default, the script can be executed by a remote user. Component Type: Core Affected Component: Debug Script Version: 3.8.0 and earlier Vulnerability Type: Information Disclosure Severity: Low Problem Description: A debug script...
Information Disclosure in User Authentication
It has been discovered that login failures have been logged on the default stream with log level "warning" including plain-text user credentials...
Security Misconfiguration for Backend User Accounts
When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in orde...
Denial of Service in Online Media Asset Handling
Online Media Asset Handling .youtube and .vimeo files in the TYPO3 backend is vulnerable to denial of service. Putting large files with according file extensions results in high consumption of system resources. This can lead to exceeding limits of the current PHP process which results in a...
Missing Access Check in extension "Register to tt_address" (registeraddress)
Due to a missing access check, it is possible to delete certain ttaddress records...
Information Disclosure in Direct Mail Subscription (direct_mail_subscription)
It has been discovered that the extension "Direct Mail Subscription" directmailsubscription is susceptible to Information Disclosure. Release Date: January 16, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: 2.0.1...