473 matches found
Protecting Install Tool with Sudo Mode
When the system maintainer concept was introduced with TYPO3 v9.0.0 the necessity of having to enter a password when accessing the Install Tool via backend user interface was removed...
Information Disclosure in extension "Localization Manager" (l10nmgr)
A missing access check allows an authenticated backend user to view and export data of translatable fields which are outside of the users access scope resulting in Information Disclosure...
Multiple vulnerabilities in extension "Event management and registration" (sf_event_mgt)
A missing access check in the backend module allows an authenticated backend user to export participant data for events which the user does not have access to, resulting in Information Disclosure...
Cross-Site Scripting in extension "Kitodo.Presentation" (dlf)
The extension fails to properly encode user input for output in HTML context. In addition, the extension also includes jQuery 3.4.1 which is known to be vulnerable against Cross Site Scripting...
Potential Privilege Escalation
In case an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the...
Sensitive Information Disclosure
It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code HMAC-SHA1 and can lead to various attack chains as described below...
Sensitive Information Disclosure in extension "Media Content Element" (mediace)
It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code HMAC-SHA1 and can lead to various attack chains as described below...
Critical vulnerability in legacy versions of TYPO3 CMS
It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code HMAC-SHA1 and can lead to various attack chains as described below...
Broken Access Control in extension "typo3_forum" (typo3_forum)
The ACL check of the extension is broken under certain conditions allowing anonymous users to create forum posts although this feature is disabled for anonymous users in the access control list...
Multiple vulnerabilities in extension "mm_forum" (mm_forum)
The extension fails to properly encode user input for output in HTML context. Also the extension fails to implement a CSRF protection for update profile plugin...
Cross-Site Scripting in extension "Google reCAPTCHA (v2/v3)" (jh_captcha)
The extension fails to properly encode user input for output in HTML context. The issue is only exploitable by backend users with access to TypoScript settings of the extension...
Remote Code Execution in extension "Turn!" (turn)
The extensions fails to sanitize user input resulting in Remote Code Execution. The issue is only exploitable, when the attacker has FTP/SFTP access to the TYPO3 website...
Cross-Site Scripting in extension "Faceted Search" (ke_search)
The extension fails to properly encode user input for output in HTML context. The issue is only exploitable by backend users with access to indexer- and filter-configurations...
Cross-Site Scripting in "SVG Sanitizer" (svg_sanitizer)
Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it is still evaluated in browsers can lead to Cross-Site Scripting...
SQL Injection in extension "phpMyAdmin" (phpmyadmin)
Multiple vulnerabilities have been found in the phpMyAdmin component...
Sensitive Data Exposure in extension "Job Fair" (jobfair)
The extension fails to protect or obfuscate filenames of uploaded files. This allows unauthenticated users to download files with sensitive data by simply guessing the filename of uploaded files e.g uploads/txjobfair/cv.pdf...
Information Disclosure in Password Reset
It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email address exists or not...
Same-Origin Request Forgery to Backend User Interface
It has been discovered that the backend user interface and install tool are vulnerable to same-origin request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privilege...
Insecure Deserialization in Backend User Settings
It has been discovered that backend user settings in $BEUSER-uc are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability...
Multiple vulnerabilities in extension "Direct Mail" (direct_mail)
Denial of Service CVE-2020-12697 The extension provides a functionality to log clicks on links in sent newsletters. This functionality does not limit the amount of log entries generated per link, so it is possible to use a valid link to fill the log table with a huge amount of records...
Class destructors causing side-effects when being unserialized
Calling unserialize on malicious user-submitted content can result in the following scenarios:...
Broken Access Control in extension "gForum" (g_forum)
The extension fails to check access rights of authenticated frontend users allowing to create, edit and delete various records of the extension without proper permission...
Cross-Site Scripting in Form Engine
It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability...
Cross-Site Scripting in Link Handling
It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly...
Multiple vulnerabilities in extension "Magalone Flipbook for TYPO3" (magaloneflipbook)
An authenticated backend user can use the backend module to upload arbitrary files resulting in Remote Code Execution. Also, the backend module is susceptible to path traversal which allows an authenticated backend user to upload and overwrite files in all locations the webserver has access to...
SQL Injection in extension "phpmyadmin" (phpmyadmin)
Multiple vulnerabilities have been found in the phpMyAdmin component...
Remote Code Execution in extension "PHPUnit" (phpunit)
A PHP script located in “src/Util/PHP/eval-stdin.php” can be used to execute arbitrary PHP code in context of the webserver. The vulnerability is only exploitable if the vendor/ directory is publicly accessible...
CSRF in extension "Change password for frontend users" (fe_change_pwd)
The extension fails to implement a CSRF protection for update password action...
Insecure Deserialization in Query Generator & Query View
It has been discovered that classes QueryGenerator and QueryView are vulnerable to insecure deserialization...
Cross-Site Scripting in Form Framework validation handling
It has been discovered that the output of field validation errors in the Form Framework is vulnerable to cross-site scripting...
Possible Insecure Deserialization in Extbase Request Handling
It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized...
Privilege Escalation in extension "femanager direct mail subscription" (femanager_dmail_subscribe)
Failing to properly check access rights, the extension is susceptible to privilege escalation, making it possible for a logged in frontend user to modify other frontend user records...
Directory Traversal on ZIP extraction
It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal...
Cross-Site Scripting in Filelist Module
It has been discovered that the output table listing in the “Files” backend module is vulnerable to cross-site scripting when a file extension contains malicious sequences...
CSRF in extension "femanager" (femanager)
The extension fails to implement a CSRF protection for edit and delete actions...
Cross Site Scripting in extension "File List" (file_list)
The extension fails to properly encode user input for output in HTML context...
SQL Injection in low-level Query Generator
Failing to properly escape user submitted content, class QueryGenerator is vulnerable to SQL injection...
Cross-Site Scripting in Link Handling
It has been discovered that t3:// URL handling and typolink functionality are vulnerable to cross-site scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering with typolink...
Multiple vulnerabilities in extension "MKSamlAuth" (mksamlauth)
The extension fails to validate the response from the Identity Provider which allows an attacker to create various frontend users on affected TYPO3 websites...
Cross-Site Scripting Vulnerabilities in File Upload Handling
TYPO3 allows to upload files either in the backend user interface as well as in custom developed extensions. To reduce the possibility to upload potential malicious code TYPO3 uses the fileDenyPattern to deny e.g. user submitted PHP scripts from being persisted. Besides that it is possible for an...
Remote Code Execution in extension "freeCap CAPTCHA" (sr_freecap)
The extension fails to sanitize user input which allows to execute arbitrary Extbase actions resulting in Remote Code Execution...
SQL Injection in extension "URL redirect" (url_redirect)
The extension fails to properly sanitize user input and is susceptible to SQL Injection...
Multiple vulnerabilities in extension "SLUB: Event Registration" (slub_events)
The extension allows to upload arbitrary files to the webserver. For versions 1.2.2 and below, this vulnerability results in Remote Code Execution. In versions later than 1.2.2, the vulnerability can result in Denial of Service, since the webspace can be filled up with arbitrary files. The...
Information Disclosure in extension "Direct Mail" (direct_mail)
A missing access check in the backend module of the extension allows a backend user without access to configured tables e.g. feusers, ttaddress to view and export data of users subscribed to a newsletter...
Information Disclosure in Backend User Interface
The element information component used to display properties of a certain record is susceptible to information disclosure. The list of references from or to the record is not properly checked for the backend user’s permissions. A valid backend user account is needed in order to exploit this...
Cross-Site Scripting in Link Handling
It has been discovered that the t3:// URL handling is vulnerable to cross-site scripting when making use of javascript: or data: scheme in link fields like the following...
Arbitrary Code Execution and Cross-Site Scripting in Backend API
Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfigincludes is vulnerable to directory traversal leading to same scenarios as...
Insecure Deserialization in TYPO3 CMS
It has been discovered that FormEngine and DataHandler are vulnerable to insecure deserialization. A valid backend user account is needed in order to exploit this vulnerability...
Multiple vulnerabilities in extension "phpMyAdmin" (phpmyadmin)
Multiple vulnerabilities have been found in the phpMyAdmin component...
Possible deserialization side-effects in symfony/cache
Third party component symfony/cache could have been potentially leading to removal of arbitrary files in combination with other insecure deserialization vulnerabilities...