Packagist (Composer) package
typo3/cms-core
pkg:composer/typo3/cms-core
Vulnerabilities (92)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-26229 | Low | 3.7 | >= 10.0.0, < 10.4.10 | 10.4.10 | Nov 23, 2020 | TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reprodu | |
| CVE-2020-26228 | Hig | 8.1 | >= 9.0.0, < 9.5.23 | 9.5.23 | Nov 23, 2020 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly an | |
| CVE-2020-26227 | Med | 6.1 | >= 9.0.0, < 9.5.23 | 9.5.23 | Nov 23, 2020 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update | |
| CVE-2020-15241 | Med | 4.7 | >= 8.0.0, < 8.7.25 | 8.7.25 | Oct 8, 2020 | TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versio | |
| CVE-2020-15099 | Hig | 8.1 | >= 9.0.0, < 9.5.20 | 9.5.20 | Jul 29, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnera | |
| CVE-2020-15098 | Hig | 8.8 | >= 9.0.0, < 9.5.20 | 9.5.20 | Jul 29, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a va | |
| CVE-2020-11069 | Hig | 8.0 | >= 9.0.0, < 9.5.17 | 9.5.17 | May 14, 2020 | In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously mana | |
| CVE-2020-11067 | Hig | 8.8 | >= 9.0.0, < 9.5.17 | 9.5.17 | May 14, 2020 | In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A va | |
| CVE-2020-11066 | Hig | 8.7 | >= 9.0.0, < 9.5.17 | 9.5.17 | May 14, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering delet | |
| CVE-2020-11065 | Med | 5.4 | >= 10.0.0, < 10.4.2 | 10.4.2 | May 13, 2020 | In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attribu | |
| CVE-2020-11064 | Med | 5.4 | >= 9.0.0, < 9.5.17 | 9.5.17 | May 13, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend use | |
| CVE-2020-11063 | Low | 3.7 | >= 10.0.0, < 10.4.2 | 10.4.2 | May 13, 2020 | In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been | |
| CVE-2019-19850 | Hig | 7.2 | >= 8.0, < 8.7.30 | 8.7.30 | Dec 17, 2019 | An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, | |
| CVE-2019-19849 | Hig | 8.8 | >= 10.0.0, < 10.2.1 | 10.2.1 | Dec 17, 2019 | An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel ( | |
| CVE-2019-19848 | Hig | 7.2 | >= 10.0.0, < 10.2.2 | 10.2.2 | Dec 17, 2019 | An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit thi | |
| CVE-2010-3673 | Med | 5.3 | < 4.2.13 | 4.2.13 | Nov 5, 2019 | TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API. | |
| CVE-2019-12748 | Med | 6.1 | >= 8.0.0, < 8.7.27 | 8.7.27 | Jul 9, 2019 | TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. | |
| CVE-2019-12747 | Hig | 8.8 | >= 8.0.0, < 8.7.27 | 8.7.27 | Jul 9, 2019 | TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. | |
| CVE-2019-10912 | Hig | 7.1 | >= 9.0.0, < 9.5.8 | 9.5.8 | May 16, 2019 | In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is re | |
| CVE-2019-11832 | Hig | 7.5 | >= 8.0.0, < 8.7.25 | 8.7.25 | May 9, 2019 | TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick. |
- affected >= 10.0.0, < 10.4.10fixed 10.4.10
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reprodu
- affected >= 9.0.0, < 9.5.23fixed 9.5.23
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly an
- affected >= 9.0.0, < 9.5.23fixed 9.5.23
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update
- affected >= 8.0.0, < 8.7.25fixed 8.7.25
TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versio
- affected >= 9.0.0, < 9.5.20fixed 9.5.20
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnera
- affected >= 9.0.0, < 9.5.20fixed 9.5.20
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a va
- affected >= 9.0.0, < 9.5.17fixed 9.5.17
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously mana
- affected >= 9.0.0, < 9.5.17fixed 9.5.17
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A va
- affected >= 9.0.0, < 9.5.17fixed 9.5.17
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering delet
- affected >= 10.0.0, < 10.4.2fixed 10.4.2
In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attribu
- affected >= 9.0.0, < 9.5.17fixed 9.5.17
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend use
- affected >= 10.0.0, < 10.4.2fixed 10.4.2
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been
- affected >= 8.0, < 8.7.30fixed 8.7.30
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed,
- affected >= 10.0.0, < 10.2.1fixed 10.2.1
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (
- affected >= 10.0.0, < 10.2.2fixed 10.2.2
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit thi
- affected < 4.2.13fixed 4.2.13
TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API.
- affected >= 8.0.0, < 8.7.27fixed 8.7.27
TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.
- affected >= 8.0.0, < 8.7.27fixed 8.7.27
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.
- affected >= 9.0.0, < 9.5.8fixed 9.5.8
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is re
- affected >= 8.0.0, < 8.7.25fixed 8.7.25
TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.
Page 4 of 5