Bitnami package
typo3
pkg:bitnami/typo3
Vulnerabilities (50)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-15241 | — | >= 8.7.25, <= 8.7.25 | — | Oct 8, 2020 | TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versio | ||
| CVE-2020-15098 | — | >= 9.0.0, < 9.5.20 | 9.5.20 | Jul 29, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a va | ||
| CVE-2020-15099 | — | >= 9.0.0, < 9.5.20 | 9.5.20 | Jul 29, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnera | ||
| CVE-2020-11069 | — | >= 9.0.0, < 9.5.16 | 9.5.16 | May 13, 2020 | In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously mana | ||
| CVE-2020-11067 | — | >= 9.0.0, < 9.5.16 | 9.5.16 | May 13, 2020 | In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A va | ||
| CVE-2020-11066 | — | >= 9.0.0, < 9.5.17 | 9.5.17 | May 13, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering delet | ||
| CVE-2020-11065 | — | >= 9.5.12, < 9.5.17 | 9.5.17 | May 13, 2020 | In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attribu | ||
| CVE-2020-11064 | — | >= 9.0.0, < 9.5.17 | 9.5.17 | May 13, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend use | ||
| CVE-2020-11063 | — | >= 10.4.0, <= 10.4.0 | — | May 13, 2020 | In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been | ||
| CVE-2020-8091 | — | >= 6.2.0, < 6.2.39 | 6.2.39 | Jan 27, 2020 | svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname. |
- CVE-2020-15241Oct 8, 2020affected >= 8.7.25, <= 8.7.25
TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versio
- CVE-2020-15098Jul 29, 2020affected >= 9.0.0, < 9.5.20fixed 9.5.20
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a va
- CVE-2020-15099Jul 29, 2020affected >= 9.0.0, < 9.5.20fixed 9.5.20
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnera
- CVE-2020-11069May 13, 2020affected >= 9.0.0, < 9.5.16fixed 9.5.16
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously mana
- CVE-2020-11067May 13, 2020affected >= 9.0.0, < 9.5.16fixed 9.5.16
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A va
- CVE-2020-11066May 13, 2020affected >= 9.0.0, < 9.5.17fixed 9.5.17
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering delet
- CVE-2020-11065May 13, 2020affected >= 9.5.12, < 9.5.17fixed 9.5.17
In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attribu
- CVE-2020-11064May 13, 2020affected >= 9.0.0, < 9.5.17fixed 9.5.17
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend use
- CVE-2020-11063May 13, 2020affected >= 10.4.0, <= 10.4.0
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been
- CVE-2020-8091Jan 27, 2020affected >= 6.2.0, < 6.2.39fixed 6.2.39
svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname.
Page 3 of 3