Non-Persistent Cross-Site Scripting in extension "Static Methods since 2007" (div2007)

It has been discovered that the extension "Static Methods since 2007" div2007 is susceptible to Cross-Site Scripting. Release Date: May 31, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.6.8 and below...

SQL Injection in extension "Browser - TYPO3 without PHP" (browser)

It has been discovered that the extension "Browser - TYPO3 without PHP" browser is susceptible to SQL Injection. Release Date: May 31, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 7.4.8 and below Vulnerabili...

Multiple vulnerabilities in extension "http:BL Blocking" (mh_httpbl)

It has been discovered that the extension "http:BL Blocking" mhhttpbl is susceptible to SQL Injection and Cross-Site Scripting. Release Date: May 31, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: 1.1.7 and below...

Path Traversal in extension "Media management" (media)

It has been discovered that the extension "Media management" media is susceptible to Path Traversal. Release Date: May 27, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 4.0.3 and below Vulnerability Type: Pat...

Cross-Site Scripting in extension "Formhandler" (formhandler)

It has been discovered that the extension "Formhandler" formhandler is susceptible to Cross-Site Scripting. Release Date: May 27, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.3.0 and below Vulnerability...

Missing Access Check in TYPO3 CMS

It has been discovered, that TYPO3 CMS lacks an access check for Extbase actions. Component Type: TYPO3 CMS Release Date: May 24, 2016 Vulnerable subcomponent: Extbase Vulnerability Type: Missing access check Affected Versions: Versions 4.3.0 up to 8.1.0 Severity: Critical Suggested CVSS v2.0:...

Missing Access Check in extension "Frontend User Registration" (sf_register)

It has been discovered that the extension "Frontend User Registration" sfregister lacks a proper access check. Release Date: May 24, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 6.2.7 and below Vulnerability...

Important Security-Bulletin Pre-Announcement

TYPO3 releases containing a fix for a critical vulnerability will be published Tuesday 24th of May at about 10:00 a.m. CEST 08:00 a.m. GMT. UPDATE Add clarification regarding TYPO3 4.5 The TYPO3 security team has identified a critical security issue in the TYPO3 CMS Core. All TYPO3 versions from...

Critical vulnerabilities in ImageMagick

Multiple vulnerabilities in ImageMagick have been discovered, Remote Code Execution being one of them. For image manipulation TYPO3 CMS makes use of either one of the third party tools GraphicsMagick or ImageMagick. Recently it has been discovered, that ImageMagick exposes multiple vulnerabilitie...

Arbitrary File Disclosure in Form Component

It has been discovered, that TYPO3 Form Component is susceptible to Arbitrary File Disclosure. Component Type: TYPO3 CMS Release Date: April 12, 2016 Vulnerable subcomponent: Form Vulnerability Type: Arbitrary File Disclosure Affected Versions: Versions 6.2.0 to 6.2.19 Severity: High Suggested CV...

Cross-Site Scripting in TYPO3 Backend

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: April 12, 2016 Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0 Severity: Medium...

Authentication Bypass in TYPO3 CMS

It has been discovered, that TYPO3 CMS is vulnerable to Authentication Bypass. Component Type: TYPO3 CMS Release Date: April 12, 2016 Vulnerable subcomponent: Authentication Vulnerability Type: Authentication Bypass Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0 Severity:...

Privilege Escalation in TYPO3 CMS

It has been discovered, that TYPO3 CMS is vulnerable to Privilege Escalation. Component Type: TYPO3 CMS Release Date: April 12, 2016 Vulnerable subcomponent: Version Vulnerability Type: Privilege Escalation Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0 Severity: Medium...

Multiple vulnerabilities in extension "Ajax mail subscription" (ods_ajaxmailsubscription)

It has been discovered that the extension "Ajax mail subscription" odsajaxmailsubscription is susceptible to Insecure Authentication and Session Handling. Release Date: March 24, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected...

SQL Injection in extension "Another simple gallery" (chgallery)

It has been discovered that the extension "Another simple gallery" chgallery is susceptible to SQL Injection. Release Date: March 10, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.5.3 and below Vulnerabilit...

Multiple vulnerabilities in extension phpMyAdmin (phpmyadmin)

It has been discovered that the extension "phpMyAdmin" phpmyadmin is susceptible to unsafe comparison of XSRF/CSRF token, multiple full path disclosure vulnerabilities, multiple XSS vulnerabilities, insecure password generation in JavaScript. Release Date: March 10, 2016 Component Type: Third par...

Cross-Site Scripting in extension "Extension Kickstarter" (kickstarter)

It has been discovered that the extension "Extension Kickstarter" kickstarter is susceptible to Cross-Site Scripting. Release Date: March 03, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 0.5.3 and below...

Cross-Site Scripting in extension "Google Sitemap" (enter_new_weeaar_googlesitemap)

It has been discovered that the extension "Google Sitemap" enternewweeaargooglesitemap is susceptible to Cross-Site Scripting. Release Date: March 03, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.0.0 and...

Information Disclosure in extension "UTOPIA" (ics_utopia)

It has been discovered that the extension "UTOPIA" icsutopia is susceptible to Information Disclosure. Release Date: March 03, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.0.1 and below Vulnerability Type:...

Multiple vulnerabilities in extension "Fe user statistic" (festat)

It has been discovered that the extension "Fe user statistic" festat is susceptible to Cross-Site Scripting, Insecure Unserialize and Information Disclosure. Release Date: March 03, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affecte...

Cross-Site Scripting in extension "List frontend users" (listfeusers)

It has been discovered that the extension "List frontend users" listfeusers is susceptible to Cross-Site Scripting. Release Date: March 03, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 0.9.9 and below...

Cross-Site Scripting in extension "Apache Solr for TYPO3" (solr)

It has been discovered that the extension "Apache Solr for TYPO3" solr is susceptible to Cross-Site Scripting. Release Date: March 03, 2016 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.8.3 and below, 3.0.0 to...

XML External Entity (XXE) Processing in TYPO3 Core

It has been discovered, that TYPO3 is susceptible to XML External Entity Processing Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: TYPO3 CMS Vulnerability Type: XML External Entity Processing Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3...

Denial of Service attack possibility in TYPO3 component Indexed Search

It has been discovered, that TYPO3 is susceptible to a Denial of Service attack. Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: Indexed Search Vulnerability Type: Denial of Service attack Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3 Severity:...

Cross-Site Scripting in TYPO3 component Backend

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.18 Severity: Low Suggested CVSS v2.0:...

Cross-Site Scripting in TYPO3 component CSS styled content

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: CSS styled content Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3 Severity: Medium...

SQL Injection in dbal

It has been discovered, that TYPO3 is susceptible to SQL Injection Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: Dbal Vulnerability Type: SQL Injection Affected Versions: Versions 6.2.0 to 6.2.17 Severity: High Suggested CVSS v2.0:...

Cross-Site Scripting in form component

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: form component Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.17 Severity: Low Suggested CVSS v2.0:...

Cross-Site Scripting in link validator component

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: link validator Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.17 and 7.6.0 to 7.6.2 Severity: Low Suggest...

Cross-Site Scripting in legacy form component

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: legacy form component Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.17 Severity: Low Suggested CVSS v2.0...

Multiple Cross-Site Scripting vulnerabilities in frontend

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: December 15, 2015 Vulnerable subcomponent: Frontend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0 Severity: Low Suggested CVSS...

Cross-Site Scripting in TYPO3 component Extension Manager

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: December 15, 2015 Vulnerable subcomponent: Extension Manager Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0 Severity: Low Suggest...

Multiple Cross-Site Scripting vulnerabilities in TYPO3 backend

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: December 15, 2015 Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0 Severity: Low Suggested CVSS...

TYPO3 is susceptible to Cross-Site Flashing

It has been discovered, that TYPO3 is susceptible to Cross-Site Flashing Component Type: TYPO3 CMS Release Date: December 15, 2015 Vulnerable subcomponent: Flvplayer Vulnerability Type: Affected Versions: Versions 6.2.0 to 6.2.15 Severity: Medium Suggested CVSS v2.0:...

Cross-Site Scripting vulnerability in typolinks

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: December 15, 2015 Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0 Severity: Low Suggested CVSS v2.0:...

Cross-Site Scripting in TYPO3 component Indexed Search

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: December 15, 2015 Vulnerable subcomponent: Indexed Search Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.15 Severity: Low Suggested CVSS v2.0:...

Cross-Site Request Forgery in extension "Typo3 Quixplorer" (t3quixplorer)

It has been discovered that the extension "Typo3 Quixplorer" t3quixplorer is susceptible to Cross-Site Request Forgery. Release Date: September 30, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.7.2 and belo...

File Disclosure in extension "Zend Framework Integration" (zend_framework)

It has been discovered that the extension "Zend Framework Integration" zendframework is susceptible to File Disclosure. Release Date: September 30, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.7.6 and belo...

Arbitrary Code Execution in extension "MK Forms" (mkforms)

It has been discovered that the extension "MK Forms" mkforms is susceptible to Arbitrary Code Execution Release Date: September 30, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.0.23 and below Vulnerability...

Information Disclosure in extension "LDAP" (eu_ldap)

It has been discovered that the extension "LDAP" euldap is susceptible to Information Disclosure. Release Date: September 30, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 2.8.18 and below Vulnerability Type:...

Information Disclosure in extension "Adminer" (t3adminer)

It has been discovered that the extension "Adminer" t3adminer is susceptible to Information Disclosure. Release Date: September 30, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 7.0.1 and below Vulnerability...

Cross-Site Scripting in extension "News system" (news)

It has been discovered that the extension "News system" news is susceptible to Cross-Site Scripting. Release Date: September 30, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 3.2.1 and below Vulnerability Typ...

SQL Injection in extension "http:BL Blocking" (mh_httpbl)

It has been discovered that the extension "http:BL Blocking" mhhttpbl is susceptible to SQL Injection. Release Date: September 30, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: version 1.1.7 and below Vulnerability...

Unauthenticated Path Disclosure

It has been discovered, that TYPO3 is susceptible to unauthenticated path disclosure. Component Type: TYPO3 CMS Release Date: September 8, 2015 Vulnerable subcomponent: Frontend Vulnerability Type: Information Disclosure Affected Versions: Versions 6.2.0 to 6.2.14, 7.0.0 to 7.3.1 Severity: Low...

Non-Persistent Cross-Site Scripting

It has been discovered, that TYPO3 is susceptible to Non-Persistent Cross-Site Scripting Component Type: TYPO3 CMS Release Date: September 8, 2015 Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.14, 7.0.0 to 7.3.0 Severity: Low...

Cross-Site Scripting in 3rd party library Flowplayer

It has been discovered, that editors could change, create or delete metadata of files without permission. Component Type: TYPO3 CMS Release Date: July 1, 2015 Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0...

Brute Force Protection Bypass in backend login

It has been discovered, that the backend login brute force protection can be bypassed Component Type: TYPO3 CMS Release Date: July 1, 2015 Vulnerable subcomponent: Backend Vulnerability Type: Brute Force Protection Bypass Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0 Severity: Low...

Frontend login Session Fixation

It has been discovered that TYPO3 is susceptible to session fixation. Component Type: TYPO3 CMS Release Date: July 1, 2015 Vulnerable subcomponent: Frontend Logon Vulnerability Type: Session Fixation Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0 Severity: Low Suggested CVSS v2.0:...

Access bypass when editing file metadata

It has been discovered, that editors could change, create or delete metadata of files without permission. Component Type: TYPO3 CMS Release Date: July 1, 2015 Vulnerable subcomponent: Backend Vulnerability Type: Broken Access Control Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0...

Information Disclosure possibility exploitable by Editors

It has been discovered, that editors could list all files and folders in the root directory of a TYPO3 installation. Component Type: TYPO3 CMS Release Date: July 1, 2015 Vulnerable subcomponent: Backend Vulnerability Type: Information Disclosure Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 ...