Lucene search

K

TYPO3 Core Security Vulnerabilities

cve
cve

CVE-2024-25119

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of $GLOBALS['SYS']['encryptionKey'] was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic...

4.9CVSS

5AI Score

0.0004EPSS

2024-02-13 11:15 PM
16
cve
cve

CVE-2024-25118

TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this...

4.3CVSS

4.6AI Score

0.0004EPSS

2024-02-13 11:15 PM
26
cve
cve

CVE-2024-34355

TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML...

3.5CVSS

6.6AI Score

0.0004EPSS

2024-05-14 04:17 PM
25
cve
cve

CVE-2024-34357

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the ShowImageController (eID tx_cms_showpic ) is vulnerable to...

5.4CVSS

5.1AI Score

0.0004EPSS

2024-05-14 04:17 PM
25
cve
cve

CVE-2024-25120

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific t3:// URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling...

4.3CVSS

4.4AI Score

0.0004EPSS

2024-02-13 11:15 PM
25
cve
cve

CVE-2024-34358

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the ShowImageController (eID tx_cms_showpic ) lacks a cryptographic HMAC-signature on the frame HTTP query parameter (e.g....

5.3CVSS

5.2AI Score

0.0004EPSS

2024-05-14 04:17 PM
30
cve
cve

CVE-2024-34356

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user...

5.4CVSS

6.2AI Score

0.0004EPSS

2024-05-14 04:17 PM
26
cve
cve

CVE-2009-4855

SQL injection vulnerability in index.php in TYPO3 4.0 allows remote attackers to execute arbitrary SQL commands via the showUid parameter. NOTE: the TYPO3 Security Team disputes this report, stating that "there is no such vulnerability... The showUid parameter is generally used in third-party...

8.6AI Score

0.001EPSS

2010-05-11 12:02 PM
29
cve
cve

CVE-2024-25121

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via DataHandler. This allowed attackers to reference files in the fallback storage directly and...

7.1CVSS

6.7AI Score

0.0004EPSS

2024-02-13 11:15 PM
24
cve
cve

CVE-2012-3527

view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature...

7.2AI Score

0.003EPSS

2012-09-05 11:55 PM
39
cve
cve

CVE-2023-47125

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in...

6.1CVSS

5.9AI Score

0.001EPSS

2023-11-14 08:15 PM
46
cve
cve

CVE-2023-47127

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the...

5.4CVSS

5.2AI Score

0.001EPSS

2023-11-14 08:15 PM
40
cve
cve

CVE-2023-47126

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios...

5.3CVSS

5.1AI Score

0.001EPSS

2023-11-14 08:15 PM
32
cve
cve

CVE-2019-11831

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar...

9.8CVSS

9.3AI Score

0.033EPSS

2019-05-09 04:29 AM
242
cve
cve

CVE-2023-37905

ckeditor-wordcount-plugin is an open source WordCount Plugin for CKEditor. It has been discovered that the ckeditor-wordcount-plugin plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. This issue has been addressed in version 1.17.12 of the...

6.1CVSS

6AI Score

0.001EPSS

2023-07-21 08:15 PM
32
cve
cve

CVE-2023-38500

TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Starting in version 1.0.0 and prior to versions 1.5.1 and 2.1.2, due to an encoding issue in the serialization layer, malicious...

6.1CVSS

5.9AI Score

0.001EPSS

2023-07-25 09:15 PM
22
cve
cve

CVE-2023-38499

TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters id and L allowed out-of-scope access to rendered content in the website...

5.3CVSS

5.1AI Score

0.001EPSS

2023-07-25 09:15 PM
38
cve
cve

CVE-2022-31047

TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, system internal credentials or keys (e.g. database credentials) can be logged as plaintext in exception handlers, when logging the complete exception stack trace....

6.5CVSS

6.3AI Score

0.001EPSS

2022-06-14 09:15 PM
67
5
cve
cve

CVE-2019-12747

TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted...

8.8CVSS

8.5AI Score

0.001EPSS

2019-07-09 03:15 PM
55
cve
cve

CVE-2019-12748

TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows...

6.1CVSS

6.3AI Score

0.001EPSS

2019-07-09 03:15 PM
56
cve
cve

CVE-2023-24814

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component GeneralUtility::getIndpEnv() uses the unfiltered server environment variable PATH_INFO, which allows attackers to inject malicious content. In...

8.8CVSS

5.8AI Score

0.003EPSS

2023-02-07 07:15 PM
33
cve
cve

CVE-2014-9509

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set to all or cached, allows remote attackers to have an unspecified impact (possibly resource consumption) via a "Cache Poisoning" attack using.....

6.9AI Score

0.005EPSS

2022-10-03 04:20 PM
23
cve
cve

CVE-2015-8759

Cross-site scripting (XSS) vulnerability in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote authenticated editors to inject arbitrary web script or HTML via a link...

5.4CVSS

5.2AI Score

0.001EPSS

2022-10-03 04:16 PM
25
cve
cve

CVE-2015-8755

Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown...

5.4CVSS

5.3AI Score

0.001EPSS

2022-10-03 04:16 PM
30
cve
cve

CVE-2015-8758

Multiple cross-site scripting (XSS) vulnerabilities in unspecified frontend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown...

5.4CVSS

5.3AI Score

0.001EPSS

2022-10-03 04:15 PM
20
cve
cve

CVE-2015-8757

Cross-site scripting (XSS) vulnerability in the Extension Manager in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to extension data during an extension...

6.1CVSS

5.9AI Score

0.001EPSS

2022-10-03 04:15 PM
20
cve
cve

CVE-2015-8756

Cross-site scripting (XSS) vulnerability in the search result view in the Indexed Search (indexed_search) component in TYPO3 6.2.x before 6.2.16 allows remote authenticated editors to inject arbitrary web script or HTML via unspecified...

5.4CVSS

5.1AI Score

0.001EPSS

2022-10-03 04:15 PM
17
cve
cve

CVE-2015-8760

The Flvplayer component in TYPO3 6.2.x before 6.2.16 allows remote attackers to embed Flash videos from external domains via unspecified vectors, aka "Cross-Site...

6.1CVSS

6.2AI Score

0.002EPSS

2022-10-03 04:15 PM
22
cve
cve

CVE-2012-1606

Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified...

5.2AI Score

0.001EPSS

2022-10-03 04:15 PM
33
cve
cve

CVE-2012-1608

The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable...

5.5AI Score

0.002EPSS

2022-10-03 04:15 PM
34
cve
cve

CVE-2012-1605

The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature (HMAC) for a request...

7.8AI Score

0.006EPSS

2022-10-03 04:15 PM
32
cve
cve

CVE-2012-1607

The Command Line Interface (CLI) script in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to obtain the database name via a direct...

6.4AI Score

0.003EPSS

2022-10-03 04:15 PM
33
cve
cve

CVE-2011-4614

PHP remote file inclusion vulnerability in Classes/Controller/AbstractController.php in the workspaces system extension in TYPO3 4.5.x before 4.5.9, 4.6.x before 4.6.2, and development versions of 4.7 allows remote attackers to execute arbitrary PHP code via a URL in the BACK_PATH...

7.5AI Score

0.134EPSS

2022-10-03 04:15 PM
24
cve
cve

CVE-2022-36107

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the FileDumpController (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account.....

6.5CVSS

5.3AI Score

0.001EPSS

2022-09-13 06:15 PM
44
7
cve
cve

CVE-2022-36108

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the f:asset.css view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the...

6.5CVSS

6.1AI Score

0.001EPSS

2022-09-13 06:15 PM
48
7
cve
cve

CVE-2022-36106

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the expiration time of a password reset link for TYPO3 backend users has never been evaluated. As a result, a password reset link could be used to perform a password reset even...

5.4CVSS

5.5AI Score

0.001EPSS

2022-09-13 06:15 PM
35
4
cve
cve

CVE-2022-36104

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to....

7.5CVSS

7.4AI Score

0.001EPSS

2022-09-13 06:15 PM
45
4
cve
cve

CVE-2022-36105

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd...

5.3CVSS

5.3AI Score

0.001EPSS

2022-09-13 06:15 PM
41
4
cve
cve

CVE-2022-31049

TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, user submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. TYPO3 versions...

5.4CVSS

5.2AI Score

0.001EPSS

2022-06-14 09:15 PM
61
10
cve
cve

CVE-2022-31048

TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit...

5.4CVSS

5.1AI Score

0.001EPSS

2022-06-14 09:15 PM
53
6
cve
cve

CVE-2022-31050

TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This.....

7.2CVSS

6.8AI Score

0.002EPSS

2022-06-14 09:15 PM
59
4
cve
cve

CVE-2022-31046

TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can export internal details.....

4.3CVSS

4.3AI Score

0.001EPSS

2022-06-14 09:15 PM
53
3
cve
cve

CVE-2021-41114

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the...

5.3CVSS

5AI Score

0.006EPSS

2021-10-05 06:15 PM
43
cve
cve

CVE-2021-41113

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as...

8.8CVSS

8.4AI Score

0.002EPSS

2021-10-05 06:15 PM
48
cve
cve

CVE-2021-32768

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding...

6.1CVSS

6AI Score

0.001EPSS

2021-08-10 05:15 PM
44
cve
cve

CVE-2021-32767

TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3...

6.5CVSS

6.4AI Score

0.001EPSS

2021-07-20 04:15 PM
45
7
cve
cve

CVE-2021-32669

TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for backend layouts are not properly encoded, the corresponding grid view is vulnerable to...

6.4CVSS

5AI Score

0.001EPSS

2021-07-20 04:15 PM
58
5
cve
cve

CVE-2021-32668

TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When error messages are not properly encoded, the components QueryGenerator and QueryView are vulnerable to...

6.4CVSS

4.7AI Score

0.001EPSS

2021-07-20 03:15 PM
49
5
cve
cve

CVE-2021-32667

TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When Page TSconfig settings are not properly encoded, corresponding page preview module (Web>View) is...

6.4CVSS

5AI Score

0.001EPSS

2021-07-20 03:15 PM
47
5
cve
cve

CVE-2021-21359

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a....

7.5CVSS

7.2AI Score

0.002EPSS

2021-03-23 02:15 AM
109
Total number of security vulnerabilities128