Lucene search

K

TYPO3 Core Security Vulnerabilities

cve
cve

CVE-2021-21357

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework......

8.3CVSS

8.1AI Score

0.001EPSS

2021-03-23 02:15 AM
85
cve
cve

CVE-2021-21370

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type menu are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid...

5.4CVSS

5AI Score

0.001EPSS

2021-03-23 02:15 AM
179
cve
cve

CVE-2021-21355

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default...

8.6CVSS

8.6AI Score

0.001EPSS

2021-03-23 02:15 AM
183
cve
cve

CVE-2021-21339

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited...

7.5CVSS

7.7AI Score

0.002EPSS

2021-03-23 02:15 AM
93
cve
cve

CVE-2021-21340

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as descriptionColumn are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to...

5.4CVSS

5AI Score

0.001EPSS

2021-03-23 02:15 AM
92
2
cve
cve

CVE-2021-21338

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing...

6.1CVSS

6.4AI Score

0.001EPSS

2021-03-23 02:15 AM
96
cve
cve

CVE-2021-21358

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed.....

5.4CVSS

5AI Score

0.001EPSS

2021-03-23 02:15 AM
80
4
cve
cve

CVE-2020-26229

TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the...

3.7CVSS

4.2AI Score

0.001EPSS

2020-11-23 10:15 PM
69
cve
cve

CVE-2020-26227

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 versions....

6.1CVSS

6.2AI Score

0.001EPSS

2020-11-23 09:15 PM
42
cve
cve

CVE-2020-26228

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in...

8.1CVSS

7.8AI Score

0.001EPSS

2020-11-23 09:15 PM
66
cve
cve

CVE-2020-26216

TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with...

8CVSS

6.5AI Score

0.001EPSS

2020-11-17 09:15 PM
43
cve
cve

CVE-2020-15241

TYPO3 Fluid Engine (package typo3fluid/fluid) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like {showFullName ? fullName : defaultValue}. Updated versions of this package are....

6.1CVSS

5.8AI Score

0.001EPSS

2020-10-08 09:15 PM
68
cve
cve

CVE-2020-15098

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic.....

8.8CVSS

8.9AI Score

0.003EPSS

2020-07-29 05:15 PM
49
cve
cve

CVE-2020-15099

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case.....

8.1CVSS

8.6AI Score

0.009EPSS

2020-07-29 05:15 PM
55
cve
cve

CVE-2019-19850

An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid...

7.2CVSS

7.3AI Score

0.001EPSS

2019-12-17 05:15 PM
29
cve
cve

CVE-2019-19849

An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB....

8.8CVSS

8.4AI Score

0.001EPSS

2019-12-17 05:15 PM
29
cve
cve

CVE-2019-19848

An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability....

7.2CVSS

6.9AI Score

0.002EPSS

2019-12-17 05:15 PM
33
cve
cve

CVE-2011-3583

It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user...

9.8CVSS

9.7AI Score

0.002EPSS

2019-11-26 12:15 AM
25
cve
cve

CVE-2011-3584

The TYPO3 Core wec_discussion extension before 2.1.1 is vulnerable to SQL Injection due to improper sanitation of user-supplied...

9.8CVSS

9.8AI Score

0.002EPSS

2019-11-26 12:15 AM
37
cve
cve

CVE-2011-4901

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3...

6.5CVSS

6.6AI Score

0.001EPSS

2019-11-06 05:15 PM
31
cve
cve

CVE-2011-4902

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the...

6.5CVSS

6.7AI Score

0.001EPSS

2019-11-06 05:15 PM
26
cve
cve

CVE-2011-4632

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash...

5.4CVSS

5.4AI Score

0.001EPSS

2019-11-06 05:15 PM
35
cve
cve

CVE-2011-4900

TYPO3 before 4.5.4 allows Information Disclosure in the...

6.5CVSS

6.4AI Score

0.001EPSS

2019-11-06 05:15 PM
31
cve
cve

CVE-2011-4904

TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint...

6.5CVSS

6.6AI Score

0.001EPSS

2019-11-06 05:15 PM
30
cve
cve

CVE-2011-4903

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS...

6.1CVSS

6AI Score

0.001EPSS

2019-11-06 05:15 PM
24
cve
cve

CVE-2011-4628

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted...

9.8CVSS

9.3AI Score

0.007EPSS

2019-11-06 05:15 PM
24
cve
cve

CVE-2011-4626

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the "JSwindow" property of the typolink...

6.1CVSS

7.2AI Score

0.001EPSS

2019-11-06 05:15 PM
28
cve
cve

CVE-2011-4629

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the admin...

5.4CVSS

6.8AI Score

0.001EPSS

2019-11-06 05:15 PM
24
cve
cve

CVE-2011-4627

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the...

6.5CVSS

6.4AI Score

0.001EPSS

2019-11-06 05:15 PM
25
cve
cve

CVE-2011-4630

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the browse_links...

5.4CVSS

5.4AI Score

0.001EPSS

2019-11-06 05:15 PM
22
cve
cve

CVE-2011-4631

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the system extension...

5.4CVSS

6.8AI Score

0.001EPSS

2019-11-06 05:15 PM
30
cve
cve

CVE-2019-11832

TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or...

7.5CVSS

7.1AI Score

0.008EPSS

2019-05-09 05:29 AM
38
cve
cve

CVE-2010-3659

Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified.....

5.4CVSS

5.7AI Score

0.001EPSS

2017-10-20 06:29 PM
29
cve
cve

CVE-2017-14251

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP...

8.8CVSS

8.6AI Score

0.008EPSS

2017-09-11 09:29 AM
31
cve
cve

CVE-2016-4056

Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers to inject arbitrary web script or HTML via the module parameter when creating a...

6.1CVSS

5.9AI Score

0.002EPSS

2017-01-23 09:59 PM
29
cve
cve

CVE-2016-5091

Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase...

8.1CVSS

8.5AI Score

0.034EPSS

2017-01-23 09:59 PM
53
cve
cve

CVE-2015-5956

The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php....

4.8AI Score

0.065EPSS

2015-09-16 02:59 PM
34
cve
cve

CVE-2015-2047

The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty...

7AI Score

0.007EPSS

2015-02-23 05:59 PM
29
cve
cve

CVE-2014-9508

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via...

6.7AI Score

0.002EPSS

2015-01-04 09:59 PM
26
cve
cve

CVE-2014-3944

The Authentication component in TYPO3 6.2.0 before 6.2.3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified...

6.8AI Score

0.003EPSS

2014-06-03 02:55 PM
33
cve
cve

CVE-2014-3945

The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a...

7.3AI Score

0.003EPSS

2014-06-03 02:55 PM
26
cve
cve

CVE-2014-3943

Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown...

5.3AI Score

0.001EPSS

2014-06-03 02:55 PM
34
cve
cve

CVE-2014-3946

The query caching functionality in the Extbase Framework component in TYPO3 6.2.0 before 6.2.3 does not properly validate group permissions, which allows remote authenticated users to read arbitrary queries via unspecified...

6.1AI Score

0.001EPSS

2014-06-03 02:55 PM
27
cve
cve

CVE-2014-3941

TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host...

5.3AI Score

0.006EPSS

2014-06-03 02:55 PM
49
cve
cve

CVE-2014-3942

The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP...

7.2AI Score

0.003EPSS

2014-06-03 02:55 PM
39
cve
cve

CVE-2013-4321

The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for...

7.4AI Score

0.002EPSS

2014-05-20 02:55 PM
20
cve
cve

CVE-2012-6146

The Backend History Module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 does not properly restrict access, which allows remote authenticated editors to read the history of arbitrary records via a crafted...

6.2AI Score

0.001EPSS

2014-05-20 02:55 PM
20
cve
cve

CVE-2013-4320

The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 does not properly check permissions, which allows remote authenticated users to create or read arbitrary files via a crafted...

6.3AI Score

0.001EPSS

2014-05-20 02:55 PM
20
cve
cve

CVE-2013-4250

The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php...

7.3AI Score

0.002EPSS

2014-05-20 02:55 PM
15
cve
cve

CVE-2013-7078

Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows remote attackers.....

7.7AI Score

0.003EPSS

2014-01-19 06:55 PM
26
Total number of security vulnerabilities128