Packagist (Composer) package

typo3/cms-backend

pkg:composer/typo3/cms-backend

Vulnerabilities (22)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-6553	Hig	7.5	>= 14.2.0, < 14.3.0	14.3.0	Apr 21, 2026	Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
CVE-2025-59020		—	>= 14.0.0, < 14.0.2	14.0.2	Jan 13, 2026	By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permissio
CVE-2025-59019		—	>= 12.0.0, < 12.4.37	12.4.37	Sep 9, 2025	Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.
CVE-2025-59017		—	>= 9.0.0, < 12.4.37	12.4.37	Sep 9, 2025	Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.
CVE-2025-59014		—	>= 11.0.0, < 12.4.37	12.4.37	Sep 9, 2025	An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving manipulated data in the bookmark toolbar.
CVE-2025-47941		—	>= 12.0.0, < 12.4.31	12.4.31	May 20, 2025	TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, the multifactor authentication (MFA) dialog presented during backend login can be bypassed due to insufficient enforcemen
CVE-2024-34537		—	>= 13.0.0, < 13.3.1	13.3.1	Oct 28, 2024	TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an administrator-level backend user account via manipulated data saved in the bookmark toolbar of the backend user interface. The fixed versions are 10.4.46 ELTS,
CVE-2024-47780		—	>= 13.0.0, < 13.3.1	13.3.1	Oct 8, 2024	TYPO3 is a free and open source Content Management Framework. Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody."
CVE-2021-21370		—	>= 7.0.0, < 7.6.51	7.6.51	Mar 23, 2021	TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the pa
CVE-2021-21340		—	>= 10.0.0, < 10.4.14	10.4.14	Mar 23, 2021	TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account
CVE-2010-3664		—	< 4.1.14	4.1.14	Nov 4, 2019	TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.
CVE-2010-3663		—	< 4.1.14	4.1.14	Nov 4, 2019	TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.
CVE-2010-3662		—	< 4.1.14	4.1.14	Nov 4, 2019	TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
CVE-2010-3661		—	< 4.1.14	4.1.14	Nov 1, 2019	TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.
CVE-2010-3660		—	< 4.1.14	4.1.14	Nov 1, 2019	TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.
CVE-2010-3659	Med	5.4	>= 4.1.0, < 4.1.14	4.1.14	Oct 20, 2017	Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manage
CVE-2010-3715		—	>= 4.2.0, < 4.2.15	4.2.15	Oct 25, 2010	Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the RemoveXSS function, and allow remote authenticated users to in
CVE-2009-3631		—	<= 4.0.13	—	Nov 2, 2009	The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.
CVE-2009-3630		—	<= 4.0.13	—	Nov 2, 2009	The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, related to a "frame hijacking" issue.
CVE-2009-3629		—	<= 4.0.13	—	Nov 2, 2009	Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVE-2026-6553HigApr 21, 2026
affected >= 14.2.0, < 14.3.0fixed 14.3.0
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
CVE-2025-59020Jan 13, 2026
affected >= 14.0.0, < 14.0.2fixed 14.0.2
By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permissio
CVE-2025-59019Sep 9, 2025
affected >= 12.0.0, < 12.4.37fixed 12.4.37
Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.
CVE-2025-59017Sep 9, 2025
affected >= 9.0.0, < 12.4.37fixed 12.4.37
Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.
CVE-2025-59014Sep 9, 2025
affected >= 11.0.0, < 12.4.37fixed 12.4.37
An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving manipulated data in the bookmark toolbar.
CVE-2025-47941May 20, 2025
affected >= 12.0.0, < 12.4.31fixed 12.4.31
TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, the multifactor authentication (MFA) dialog presented during backend login can be bypassed due to insufficient enforcemen
CVE-2024-34537Oct 28, 2024
affected >= 13.0.0, < 13.3.1fixed 13.3.1
TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an administrator-level backend user account via manipulated data saved in the bookmark toolbar of the backend user interface. The fixed versions are 10.4.46 ELTS,
CVE-2024-47780Oct 8, 2024
affected >= 13.0.0, < 13.3.1fixed 13.3.1
TYPO3 is a free and open source Content Management Framework. Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody."
CVE-2021-21370Mar 23, 2021
affected >= 7.0.0, < 7.6.51fixed 7.6.51
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the pa
CVE-2021-21340Mar 23, 2021
affected >= 10.0.0, < 10.4.14fixed 10.4.14
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account
CVE-2010-3664Nov 4, 2019
affected < 4.1.14fixed 4.1.14
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.
CVE-2010-3663Nov 4, 2019
affected < 4.1.14fixed 4.1.14
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.
CVE-2010-3662Nov 4, 2019
affected < 4.1.14fixed 4.1.14
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
CVE-2010-3661Nov 1, 2019
affected < 4.1.14fixed 4.1.14
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.
CVE-2010-3660Nov 1, 2019
affected < 4.1.14fixed 4.1.14
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.
CVE-2010-3659MedOct 20, 2017
affected >= 4.1.0, < 4.1.14fixed 4.1.14
Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manage
CVE-2010-3715Oct 25, 2010
affected >= 4.2.0, < 4.2.15fixed 4.2.15
Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the RemoveXSS function, and allow remote authenticated users to in
CVE-2009-3631Nov 2, 2009
affected <= 4.0.13
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.
CVE-2009-3630Nov 2, 2009
affected <= 4.0.13
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, related to a "frame hijacking" issue.
CVE-2009-3629Nov 2, 2009
affected <= 4.0.13
Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Page 1 of 2