Incomplete Access Management and Remote Code Execution Vulnerability in TYPO3 Core

It has been discovered that TYPO3 Core has Incomplete Access Management and is vulnerable to Remote Code Execution Component Type: TYPO3 Core Vulnerability Types: Cross-Site Scripting, Remote Code Execution Overall Severity: Critical Release Date: September 4, 2013 Vulnerable subcomponent: File...

Several vulnerabilities in extension Formhandler (formhandler)

It has been discovered that the extension "Formhandler" Formhandler is vulnerable to SQL-Injection, Arbitrary Code Execution and Authentication Bypass. Release Date: August 05, 2013 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected...

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: browser, kesearch, locator, realurlmanagement, wfqbe Release Date: August 05, 2013 Bulletin update: September 5, 2014 added CVEs Please read first: This Collective Security Bulletin CSB is a listing of vulnerab...

Cross-Site Scripting vulnerability in extension Front End User Registration (sr_feuser_register)

It has been discovered that the extension "Front End User Registration" srfeuserregister is vulnerable to Cross-Site Scripting. Release Date: August 05, 2013 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Version: 3.0.1 and alll...

Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting and Remote Code Execution Component Type: TYPO3 Core Vulnerability Types: Cross-Site Scripting, Remote Code Execution Overall Severity: Critical Release Date: July 30, 2013 Vulnerable subcomponent: Third Party Libraries...

SQL Injection vulnerability in extension Multishop (multishop)

It has been discovered that the extension "Multishop" multishop is vulnerable to SQL-Injection. Release Date: June 03, 2013 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 2.0.38 and below Vulnerability Type: SQL...

Security Bypass Vulnerability in extension powermail (powermail)

It has been discovered that the extension "powermail" powermail is susceptible to Security Bypass Vulnerability. Release Date: June 03, 2013 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.6.9 and below, 2.0.1 -...

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: accessibleisbrowseresults, maagformcaptcha, metafeedit, rzautocomplete, sbfolderdownload, sgzfelib, sgzlib, tqseo Release Date: June 03, 2013 Please read first: This Collective Security Bulletin CSB is a listin...

SQL Injection and Open Redirection in TYPO3 Core

It has been discovered that TYPO3 Core is susceptible to SQL Injection and Open Redirection Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.23, 4.6.0 up to 4.6.16, 4.7.0 up to 4.7.8 and 6.0.0 up to 6.0.2 Vulnerability Types: SQL Injection, Open Redirection Overall Severity: High...

Cross-Site Scripting vulnerability in extension Static Info Tables (static_info_tables)

It has been discovered that the extension "Static Info Tables" staticinfotables is vulnerable to Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 2.3.0 and below Vulnerability Type: Cross-Site...

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: fed, myquizpoll, push2rss3ds, slideshare, wecdiscussion Release Date: February 19, 2013 Please read first: This Collective Security Bulletin CSB is a listing of vulnerable extensions with neither significant...

SQL Injection vulnerability in extension CoolURI (cooluri)

It has been discovered that the extension "CoolURI" cooluri is vulnerable to SQL Injection. Release Date: February 19, 2012 Bulletin Update: November 06, 2014 added CVE Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Versio...

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: attacalendar, attacpetition, eusubscribe, exinitjoboffer, fefilebrowser, jscssoptimizer, kkcsv2table, lonewsseo, mnmysql2json, newssearch, tipafriendplus, twitterauth, sofortueberweisung2commerce, sysmessages...

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: news, onetimeaccount, phpunit, div2007, t3mootools, t3jquery, oneclicklogin Release Date: January 11, 2013 Please read first: This Collective Security Bulletin CSB is a listing of vulnerable extensions with...

Several Vulnerabilities in extension commerce (commerce)

It has been discovered that the extension commerce commerce is vulnerable to Cross Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 0.12.7 and below Vulnerability Types: Cross Site Scripting Severity:...

Several Vulnerabilities in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to SQL Injection, Information Disclosure and Cross-Site Scripting Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.20, 4.6.0 up to 4.6.13, 4.7.0 up to 4.7.5 and development releases of the 6.0 branch. Vulnerability Types: SQL...

Several Vulnerabilities in extension Formhandler (formhandler)

It has been discovered that the extension Formhandler formhandler is vulnerable to SQL-Injection and Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.4.0 and below Vulnerability Types: SQL...

Several Vulnerabilities in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize leading to Arbitrary Code Execution Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.18, 4.6.0 up to 4.6.11, 4.7.0 up to 4.7.3 and development releases of the 6....

Cross-site scripting vulnerability in extension powermail for TYPO3 (powermail)

It has been discovered that the extension "powermail" powermail is vulnerable to Cross-Site Scripting, SQL Injection and Arbitrary Code Execution. Release Date: August 8, 2012 Bulletin update: August 9, 2012 added update help for extension manager, added further download link Component Type: Thir...

Cross-Site Scripting Vulnerability in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting. Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.16, 4.6.0 up to 4.6.9, 4.7.0 up to 4.7.1 and development releases of the 6.0 branch. Bulletin history: July 4, 2012 - corrected Secunia Advisory ID Vulnerabl...

Cross-site scripting vulnerability in extension Seminars (seminars)

It has been discovered that the extension "Seminars" seminars is vulnerable to cross-site scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 0.9.3 and below Vulnerability Type: Cross-site scripting Severity:...

Cross-site scripting vulnerability in extension Ameos Formidable (ameos_formidable)

It has been discovered that the extension "Ameos Formidable" ameosformidable is vulnerable to cross-site scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.1.373 and below Vulnerability Type: Cross-site...

Cross-site scripting vulnerability in extension powermail for TYPO3 (powermail)

It has been discovered that the extension "powermail" powermail is vulnerable to cross-site scripting. Release Date: May 30, 2012 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.6.6 and below Vulnerability Type:...

SQL Injection vulnerability in extension Basic SEO Features (seo_basics)

It has been discovered that the extension "Basic SEO Features" seobasics is vulnerable to SQL Injection. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 0.8.2 and below Vulnerability Type: SQL Injection Severity: Hi...

Cross-Site Scripting Vulnerability in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting. Component Type: TYPO3 Core Affected Versions: 4.4.0 up to 4.4.14, 4.5.0 up to 4.5.14, 4.6.0 up to 4.6.7 and development releases of the 4.7 branch. Vulnerable subcomponent: Exception Handler Vulnerability Type: Cross-Si...

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: fewhois, cagtables, additionalreports, generaldatadisplay, realty, dkdfeuserbelogin, tcfbconnect, dixeasylogin, ajadofacebook, facebook2t3, sociallogin2t3, kbeventboard, news Release Date: March 28, 2012 Please...

Cross-Site Scripting vulnerability in extension powermail for TYPO3 (powermail)

It has been discovered that the extension "powermail" powermail is vulnerable to Cross-Site Scripting Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.6.4 and below Vulnerability Types: Cross-Site Scripting Severit...

Cross-Site Scripting vulnerability in extension Basic SEO Features (seo_basics)

It has been discovered that the extension "Basic SEO Features" seobasics is vulnerable to Cross-Site Scripting Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 0.8.1 and below Vulnerability Type: Cross-Site Scripting...

Several Vulnerabilities in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize Component Type: TYPO3 Core Affected Versions: 4.4.0 up to 4.4.13, 4.5.0 up to 4.5.13, 4.6.0 up to 4.6.6 and development releases of the 4.7 and 6.0 branch. Vulnerability Type...

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: tkcropthumbs, t3extplorer, tcbeuser, anpredigten, solr, pdfcontroller, cc20, jwplayer Release Date: February 23, 2012 Please read first: This Collective Security Bulletin CSB is a listing of vulnerable extensio...

Information disclosure vulnerabilities in extension "Front End User Registration" (sr_feuser_register)

It has been discovered that the extension "Front End User Registration" srfeuserregister is vulnerable to information disclosure Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 2.6.1 and below Vulnerability Type:...

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: cssfilelinks, terminal, beuserswitch, rtgfiles, irfaq, skteurocalc, jftcaforms, bcpost2facebook, aeurltool, mvcooking, toicategory, ajadofacebook Release Date: February 2, 2012 Please read first: This Collectiv...

Remote Code Execution in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Remote Code Execution. Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 + development releases of 4.7 branch Vulnerability Types: Remote Code Execution Overall Severity: Critical Release Date: December 16, 201...

Multiple vulnerabilities in extension phpMyAdmin (phpmyadmin)

It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Local file inclusion. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.11.8 and below Vulnerability Type: Local file inclusion...

Authentication Bypass and Blind LDAP Injection in extension eu_ldap

It has been discovered that the extension euladap is vulnerable to Authentication Bypass and Blind LDAP Injection Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 2.8.10 and all versions below Vulnerability Type:...

Remote File Disclosure and Cross-Site Scripting vulnerability in extensions pmkshadowbox and pmkslimbox

It has been discovered that the extensions pmkshadowbox and pmkslimbox are vulnerable to Remote File Disclosure and Cross-Site Scripting. Release Date: Oktober 20, 2011 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Extension: pmkshadowbox...

Remote Command Execution and Remote File Disclosure vulnerability in extension pdf_generator2

It has been discovered that the extension pdfgenerator2 is vulnerable to Remote Code Execution and Remote File Disclosure Release Date: Oktober 20, 2011 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 0.21.0 and all...

Multiple vulnerabilities in extension phpMyAdmin (phpmyadmin)

It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Cross-Site Scripting and Full Path Disclosure. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.11.5 and below Vulnerability Type:...

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: mmhutinfo, npindexedsearchstat, rzcolorbox, t3cpodcasts, winninggame, tgmgallery, tgmvgallery, bpsshib, devnullrobots, dhcinflationcal, damfrontend, rtgfiles, mgrooms, gridelements Release Date: September 28,...

Cross-Site scripting vulnerability in extension t3blog (t3blog)

It has been discovered that the extension "T3Blog" t3blog is vulnerable to Cross-Site Scripting. Release Date: September 27, 2011 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.1.1 and all versions below...

Multiple XSS vulnerabilities in extension phpMyAdmin (phpmyadmin)

It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.11.4 and below Vulnerability Type: Multiple Cross-Site Scripti...

Potential SQL injection vulnerability in TYPO3 Core

It has been discovered that the TYPO3 prepared statement database API allows SQL Injections. Component Type: TYPO3 Core Affected Versions: 4.5.0 - 4.5.5 Release Date: September 14, 2011 Vulnerable subcomponent: Database API Vulnerability Type: SQL Injection Severity: Medium Suggested CVSS v2.0:...

Improper error handling could lead to cache flooding in TYPO3 Core

It has been discovered that TYPO3 is susceptible to Cache Flooding Component Type: TYPO3 Core Affected Versions: 4.2.0 - 4.2.17, 4.3.0 - 4.3.13, 4.4.0 - 4.4.10 and 4.5.0 - 4.5.5 Release Date: September 14, 2011 Vulnerable subcomponent: Caching System Vulnerability Type: Improper error handling...

Several Vulnerabilities in extension SmoothGallery for TYPO3 (rgsmoothgallery)

Several vulnerabilities have been found in the following third-party TYPO3 extension: rgsmoothgallery Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.5.1 and below Vulnerability Types: Cross-Site Scripting,...

Several Vulnerabilities in extension MailformPlus (th_mailformplus)

Several vulnerabilities have been found in the following third-party TYPO3 extension: thmailformplus Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.0.15 and below Vulnerability Types: Cross-Site Scripting Severit...

A vulnerability in extension Drag Drop Mass Upload (ameos_dragndropupload)

A vulnerability has been found in the following third-party TYPO3 extension: ameosdragndropupload Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 2.0.2 and below Vulnerability Types: Arbitrary Code Execution Severit...

Several Vulnerabilities in extension Direct Mail Subscription (direct_mail_subscription)

Several vulnerabilities have been found in the following third-party TYPO3 extension: directmailsubscription Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 1.1.0 and below Vulnerability Types: SQL Injection,...

Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: MM DAM - FEFileList mmdamfilelist, Events julleevents, WEC Staff Directory wecstaffdirectory, TGM news tgmnews, TGM media tgmmedia, TGM calendar module tgmcal, DAM Lightbox damlightbox, Download system...

Multiple XSS vulnerabilities in extension phpMyAdmin (phpmyadmin)

It has been discovered that the extension phpMyAdmin phpmyadmin is vulnerable to Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 4.11.3 and below Vulnerability Type: Multiple Cross-Site Scripti...

Several Vulnerabilities in extension Formhandler (formhandler)

It has been discovered that the extension Formhandler formhandler is vulnerable to SQL-Injection and Cross-Site Scripting. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: Version 0.9.14 and below Vulnerability Types: SQL...