Information Disclosure in extension "TemplaVoilà! Plus" (templavoilaplus)

Due to a missing access check it is possible to view the contents any file within a TYPO3 installation. A valid backend user account having access to the "TemplaVoilà! Plus" backend module is needed in order to exploit this vulnerability...

Cross-Site Scripting in extension "Frontend Treeview" (mh_treeview)

The extension fails to properly encode user input for output in HTML context...

Privilege Escalation & SQL Injection in TYPO3 CMS

Failing to properly dissociate system related configuration from user generated configuration, the Form Framework system extension "form" is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be...

Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS

Phar files formerly known as "PHP archives" can act als self extracting archives which leads to the fact that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt...

Authentication Bypass in TYPO3 CMS

It has been discovered that TYPO3’s Salted Password system extension which is a mandatory system component is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance. In standard TYPO3 core distributions stored passwords using the blowfish hashing...

Insecure Deserialization in TYPO3 CMS

It has been discovered that the Form Framework system extension "form" is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting...

Cross Site-Scripting in extension "Caretaker" (caretaker)

Solution: An updated version 0.8.1 is available from the TYPO3 Extension Manager and at . Users of the extension are advised to update the extension as soon as possible...

Cross-Site Scripting in TYPO3 CMS Backend

It has been discovered, that TYPO3 CMS is vulnerable to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: September 5, 2017 Vulnerability Type: Cross-Site Scripting Affected Versions: 8.0.0 to 8.7.4 Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C CVE: not...

Arbitrary Code Execution in TYPO3 CMS

It has been discovered, that TYPO3 CMS is vulnerable to Arbitrary Code Execution. Component Type: TYPO3 CMS Release Date: September 5, 2017 Vulnerability Type: Arbitrary Code Execution Affected Versions: 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 Severity: None - High depending on web server configuratio...

Information Disclosure in TYPO3 CMS

It has been discovered, that TYPO3 CMS is susceptible to Information Disclosure. Component Type: TYPO3 CMS Release Date: September 5, 2017 Vulnerability Type: Information Disclosure Affected Versions: 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 Severity: Low Suggested CVSS v2.0:...

Information Disclosure in TYPO3 CMS

It has been discovered, that TYPO3 CMS is susceptible to Information Disclosure. Component Type: TYPO3 CMS Release Date: September 5, 2017 Vulnerability Type: Information Disclosure Affected Versions: 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 Severity: Low Suggested CVSS v2.0:...

Remote Code Execution in extension "PHPMailer" (bb_phpmailer)

It has been discovered that the extension "PHPMailer" bbphpmailer is susceptible to Remote Code Execution. Release Date: July 11, 2017 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.73.1 and below Vulnerability...

Remote Code Execution in extension "Maag Sendmail" (maag_sendmail)

It has been discovered that the extension "Maag Sendmail" maagsendmail is susceptible to Remote Code Execution. Release Date: July 11, 2017 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.0.0 and below Vulnerabili...

Remote Code Execution in extension "AH Sendmail" (ah_sendmail)

It has been discovered that the extension "AH Sendmail" ahsendmail is susceptible to Remote Code Execution. Release Date: July 11, 2017 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.0.0 and below Vulnerability...

SQL Injection in extension "Faceted Search" (ke_search)

It has been discovered that the extension "Faceted Search" kesearch is susceptible to SQL Injection. Release Date: July 11, 2017 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.4.1 and below Vulnerability Type: SQ...

SQL Injection in extension "Content Rating Extbase" (content_rating_extbase)

It has been discovered that the extension "Content Rating Extbase" contentratingextbase is susceptible to SQL Injection. Release Date: July 11, 2017 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.0.3 and below...

SQL Injection in extension "Event management and registration" (sf_event_mgt)

It has been discovered that the extension "Event management and registration" sfeventmgt is susceptible to SQL Injection. Release Date: April 10, 2017 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.8.0 and below...

SQL Injection in extension "News system" (news)

It has been discovered that the extension "News system" news is susceptible to SQL Injection. Release Date: April 10, 2017 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 5.3.2 and below Vulnerability Type: SQL...

Cross-Site Scripting in TYPO3 CMS

It has been discovered, that TYPO3 is vulnerable to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: February 28, 2017 Vulnerability Type: Cross-Site Scripting Affected Versions: 7.6.0 to 7.6.15 and 8.0.0 to 8.6.0 Severity: Low Suggested CVSS v2.0:...

Authentication Bypass in TYPO3 Frontend

It has been discovered, that TYPO3 CMS is vulnerable to Authentication Bypass. Component Type: TYPO3 CMS Release Date: February 28, 2017 Vulnerable subcomponent: Frontend Vulnerability Type: Authentication Bypass Affected Versions: Versions 8.2.0 to 8.6.0 Severity: Medium Suggested CVSS v2.0:...

Remote Code Execution in third party library swiftmailer

It has been discovered, that the third party package swiftmailer/swiftmailer is vulnerable to Remote Code Execution Component Type: TYPO3 CMS Release Date: January 3, 2017 Vulnerability Type: Remote Code Execution Affected Versions: 6.2.0 to 6.2.29, 7.6.0 to 7.6.14 and 8.0.0 to 8.5.0 Severity: Lo...

Insecure Unserialize in TYPO3 Backend

It has been discovered, that TYPO3 is susceptible to Insecure Unserialize. Component Type: TYPO3 CMS Release Date: November 22, 2016 Vulnerable subcomponent: Backend Vulnerability Type: Insecure Unserialize Affected Versions: Versions 6.2.0 to 6.2.28, 7.6.0 to 7.6.12 and 8.0.0 to 8.4.0 Severity:...

Path Traversal in TYPO3 Core

It has been discovered, that TYPO3 is susceptible to Path Traversal. Component Type: TYPO3 CMS Release Date: November 22, 2016 Vulnerable subcomponent: Core Vulnerability Type: Path Traversal Affected Versions: Versions 6.2.0 to 6.2.28, 7.6.0 to 7.6.12 and 8.0.0 to 8.4.0 Severity: Low Suggested...

Unvalidated Redirect in extension "TC Directmail" (tcdirectmail)

It has been discovered that the extension "TC Directmail" tcdirectmail is susceptible to Unvalidated Redirect. Release Date: November 14, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 3.1.2 and below...

Cross-Site Scripting in extension "Store Locator" (locator)

It has been discovered that the extension "Store Locator" locator is susceptible to Cross-Site Scripting. Release Date: November 14, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 3.3.6 and below Vulnerability...

Cross Site-Scripting in extension "Secure Download Form" (rs_securedownload)

It has been discovered that the extension "Secure Download Form" rssecuredownload is susceptible to Cross Site-Scripting. Release Date: November 14, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 0.3.2 and bel...

Insecure Unserialize and SQL Injection in extension "Code Highlighter" (mh_code_highlighter)

It has been discovered that the extension "Code Highlighter" mhcodehighlighter is susceptible to Insecure Unserialize and SQL Injection. Release Date: November 14, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: versio...

SQL Injection in extension "Member Infosheets" (if_membersheet)

It has been discovered that the extension "Member Infosheets" ifmembersheet is susceptible to SQL Injection. Release Date: November 14, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 0.1.2 and below...

SQL Injection in extension "Shibboleth Authentication" (shibboleth_auth)

It has been discovered that the extension "Shibboleth Authentication" shibbolethauth is susceptible to SQL Injection. Release Date: November 14, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.6.3 and below...

Cross-Site Scripting in extension "HTML5 Video Player" (html5videoplayer)

It has been discovered that the extension "HTML5 Video Player" html5videoplayer is susceptible to Cross-Site Scripting. Release Date: November 11, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 6.7.0 and below...

Multiple vulnerabilities in extension "TC Directmail " (tcdirectmail)

It has been discovered that the extension "TC Directmail " tcdirectmail is susceptible to Cross Site-Scripting and SQL Injection. Release Date: November 11, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 3.1.1...

SQL Injection in extension "GN Tactics Planner" (sf_gntactics)

It has been discovered that the extension "GN Tactics Planner" sfgntactics is susceptible to SQL Injection. Release Date: September 29, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 0.2.8 and below...

SQL Injection in extension "Events" (jp_events)

It has been discovered that the extension "Events" jpevents is susceptible to SQL Injection. Release Date: September 29, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 0.0.2 and below Vulnerability Type: SQL...

Multiple vulnerabilities in extension "phpMyAdmin" (phpmyadmin)

It has been discovered that the extension "phpMyAdmin" phpmyadmin has multiple vulnerabilities. Release Date: September 29, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: 5.1.6 and below Vulnerability Type: Multiple...

Cache Flooding in TYPO3 Frontend

It has been discovered, that TYPO3 is vulnerable to Cache Flooding Component Type: TYPO3 CMS Release Date: September 13, 2016 Vulnerability Type: Cache Flooding Affected Versions: 6.2.0 to 6.2.26, 7.6.0 to 7.6.10 and 8.0.0 to 8.3.0 Severity: Low Suggested CVSS v2.0:...

Cross-Site Scripting in TYPO3 Backend

It has been discovered, that TYPO3 is vulnerable to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: September 13, 2016 Vulnerability Type: Cross-Site Scripting Affected Versions: 6.2.0 to 6.2.26, 7.6.0 to 7.6.10 and 8.0.0 to 8.3.0 Severity: Low Suggested CVSS v2.0:...

Arbitrary Code Execution in extension "Frontend User Registration" (sf_register)

Release Date: September 12, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 6.2.8 and below Vulnerability Type: Arbitrary Code Execution Severity: High Suggested CVSS v2.0:...

Denial of Service in extension "Speaking URLs for TYPO3" (realurl)

It has been discovered that the extension "Speaking URLs for TYPO3" realurl is susceptible to Denial of Service. Release Date: September 8, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.0.0 to 2.0.14...

Cross-Site Scripting in third party library mso/idna-convert

It has been discovered, that TYPO3 ships example code of mso/idna-convert library that is vulnerable to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: July 19, 2016 Vulnerability Type: Cross-Site Scripting Affected Versions: 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0 Severity: Low Suggested...

Environment Variable Injection

It has been discovered, that PHP exposes the risk of Environment Variable Injection and TYPO3 is vulnerable through third party library guzzlehttp/guzzle Component Type: TYPO3 CMS Release Date: July 19, 2016 Vulnerability Type: Environment Variable Injection Affected Versions: Versions 8.0.0 to...

Cross-Site Scripting vulnerability in typolinks

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: July 19, 2016 Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0 Severity: Low Suggested CVSS v2.0:...

SQL Injection in TYPO3 Frontend Login

It has been discovered, that TYPO3 is susceptible to SQL Injection. Component Type: TYPO3 CMS Release Date: July 19, 2016 Vulnerable subcomponent: Frontend Login Vulnerability Type: SQL Injection Affected Versions: Versions 6.2.0 to 6.2.25 and 7.6.0 to 7.6.9 Severity: Medium Suggested CVSS v2.0:...

Insecure Unserialize in TYPO3 Import/Export

It has been discovered, that TYPO3 is susceptible to Insecure Unserialize. Component Type: TYPO3 CMS Release Date: July 19, 2016 Vulnerable subcomponent: Import/Export Vulnerability Type: Insecure Unserialize Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0 Severity:...

Information Disclosure in TYPO3 Backend

It has been discovered, that TYPO3 is susceptible to Information Disclosure. Component Type: TYPO3 CMS Release Date: July 19, 2016 Vulnerable subcomponent: Backend Vulnerability Type: Information Disclosure Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0 Severity: L...

Cross-Site Scripting in TYPO3 Backend

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: July 19, 2016 Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0 Severity: Mediu...

Insecure Unserialize in extension "Page path" (pagepath)

It has been discovered that the extension "Page path" pagepath is susceptible to Insecure Unserialize. Release Date: July 7, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.0.3 and below Vulnerability Type:...

Cross-Site Scripting in extension "CCDebug" (cc_debug)

It has been discovered that the extension "CCDebug" ccdebug is susceptible to Cross-Site Scripting. Release Date: July 7, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.0.0 and below Vulnerability Type:...

Cross-Site Scripting in extension "Bootstrap Package" (bootstrap_package)

It has been discovered that the extension "Bootstrap Package" bootstrappackage is susceptible to Cross-Site Scripting. Release Date: June 15, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 6.2.15 and below...

Information Disclosure in "MMC directmail subscription" (mmc_directmail_subscription)

It has been discovered that the extension "MMC directmail subscription" mmcdirectmailsubscription is susceptible to Information Disclosure. Release Date: May 31, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: 0.9.6 an...

Information Disclosure in extension "Questionnaire" (ke_questionnaire)

It has been discovered that the extension "Questionnaire" kequestionnaire is susceptible to Information Disclosure. Release Date: May 31, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.5.8 and below...