Bitnami package
typo3
pkg:bitnami/typo3
Vulnerabilities (50)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-30451 | — | >= 11.5.24, <= 11.5.24 | — | Dec 25, 2023 | In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][base | ||
| CVE-2023-47125 | — | >= 8.7.42, < 8.7.55 | 8.7.55 | Nov 14, 2023 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been ad | ||
| CVE-2023-47126 | — | >= 12.2.0, < 12.4.8 | 12.4.8 | Nov 14, 2023 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-b | ||
| CVE-2023-47127 | — | >= 8.0.0, < 8.7.55 | 8.7.55 | Nov 14, 2023 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can b | ||
| CVE-2023-38499 | — | >= 9.4.0, < 9.5.42 | 9.5.42 | Jul 25, 2023 | TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered con | ||
| CVE-2023-24814 | — | >= 8.7.0, < 9.7.51 | 9.7.51 | Feb 7, 2023 | TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject m | ||
| CVE-2022-23504 | — | >= 9.0.0, < 9.5.38 | 9.5.38 | Dec 14, 2022 | TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend modul | ||
| CVE-2022-23503 | — | >= 8.0.0, < 8.7.49 | 8.7.49 | Dec 14, 2022 | TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, | ||
| CVE-2022-23502 | — | >= 10.0.0, < 10.4.33 | 10.4.33 | Dec 14, 2022 | TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This a | ||
| CVE-2022-23501 | — | < 8.7.49 | 8.7.49 | Dec 14, 2022 | TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), ca | ||
| CVE-2022-23500 | — | >= 9.0.0, < 9.5.38 | 9.5.38 | Dec 14, 2022 | TYPO3 is an open source PHP based web content management system. In versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1, requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message fr | ||
| CVE-2022-36105 | — | >= 7.0.0, < 7.6.57 | 7.6.57 | Sep 13, 2022 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension | ||
| CVE-2022-36106 | — | >= 10.0.0, < 10.4.31 | 10.4.31 | Sep 13, 2022 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the expiration time of a password reset link for TYPO3 backend users has never been evaluated. As a result, a password reset link could be used to perform a pas | ||
| CVE-2022-36107 | — | >= 7.0.0, < 7.6.57 | 7.6.57 | Sep 13, 2022 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `FileDumpController` (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid b | ||
| CVE-2022-36104 | — | >= 11.4.0, < 11.5.15 | 11.5.15 | Sep 13, 2022 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another p | ||
| CVE-2022-36108 | — | >= 10.0.0, < 10.4.31 | 10.4.31 | Sep 13, 2022 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `f:asset.css` view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. Update to TYPO3 version 10.4.32 or 11.5.1 | ||
| CVE-2022-31050 | — | >= 9.0.0, < 9.5.35 | 9.5.35 | Jun 14, 2022 | TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled | ||
| CVE-2022-31048 | — | >= 8.0.0, < 8.7.47 | 8.7.47 | Jun 14, 2022 | TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is ne | ||
| CVE-2022-31049 | — | >= 9.0.0, < 9.5.35 | 9.5.35 | Jun 14, 2022 | TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, user submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. | ||
| CVE-2022-31046 | — | >= 7.0.0, < 7.6.57 | 7.6.57 | Jun 14, 2022 | TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can export |
- CVE-2023-30451Dec 25, 2023affected >= 11.5.24, <= 11.5.24
In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][base
- CVE-2023-47125Nov 14, 2023affected >= 8.7.42, < 8.7.55fixed 8.7.55
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been ad
- CVE-2023-47126Nov 14, 2023affected >= 12.2.0, < 12.4.8fixed 12.4.8
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-b
- CVE-2023-47127Nov 14, 2023affected >= 8.0.0, < 8.7.55fixed 8.7.55
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can b
- CVE-2023-38499Jul 25, 2023affected >= 9.4.0, < 9.5.42fixed 9.5.42
TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered con
- CVE-2023-24814Feb 7, 2023affected >= 8.7.0, < 9.7.51fixed 9.7.51
TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject m
- CVE-2022-23504Dec 14, 2022affected >= 9.0.0, < 9.5.38fixed 9.5.38
TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend modul
- CVE-2022-23503Dec 14, 2022affected >= 8.0.0, < 8.7.49fixed 8.7.49
TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module,
- CVE-2022-23502Dec 14, 2022affected >= 10.0.0, < 10.4.33fixed 10.4.33
TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This a
- CVE-2022-23501Dec 14, 2022affected < 8.7.49fixed 8.7.49
TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), ca
- CVE-2022-23500Dec 14, 2022affected >= 9.0.0, < 9.5.38fixed 9.5.38
TYPO3 is an open source PHP based web content management system. In versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1, requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message fr
- CVE-2022-36105Sep 13, 2022affected >= 7.0.0, < 7.6.57fixed 7.6.57
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension
- CVE-2022-36106Sep 13, 2022affected >= 10.0.0, < 10.4.31fixed 10.4.31
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the expiration time of a password reset link for TYPO3 backend users has never been evaluated. As a result, a password reset link could be used to perform a pas
- CVE-2022-36107Sep 13, 2022affected >= 7.0.0, < 7.6.57fixed 7.6.57
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `FileDumpController` (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid b
- CVE-2022-36104Sep 13, 2022affected >= 11.4.0, < 11.5.15fixed 11.5.15
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another p
- CVE-2022-36108Sep 13, 2022affected >= 10.0.0, < 10.4.31fixed 10.4.31
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `f:asset.css` view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. Update to TYPO3 version 10.4.32 or 11.5.1
- CVE-2022-31050Jun 14, 2022affected >= 9.0.0, < 9.5.35fixed 9.5.35
TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled
- CVE-2022-31048Jun 14, 2022affected >= 8.0.0, < 8.7.47fixed 8.7.47
TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is ne
- CVE-2022-31049Jun 14, 2022affected >= 9.0.0, < 9.5.35fixed 9.5.35
TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, user submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages.
- CVE-2022-31046Jun 14, 2022affected >= 7.0.0, < 7.6.57fixed 7.6.57
TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can export
Page 1 of 3