VYPR

Packagist (Composer) package

typo3/cms-core

pkg:composer/typo3/cms-core

Vulnerabilities (92)

  • CVE-2020-26229LowNov 23, 2020
    affected >= 10.0.0, < 10.4.10fixed 10.4.10

    TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reprodu

  • CVE-2020-26228HigNov 23, 2020
    affected >= 9.0.0, < 9.5.23fixed 9.5.23

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly an

  • CVE-2020-26227MedNov 23, 2020
    affected >= 9.0.0, < 9.5.23fixed 9.5.23

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update

  • CVE-2020-15241MedOct 8, 2020
    affected >= 8.0.0, < 8.7.25fixed 8.7.25

    TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versio

  • CVE-2020-15099HigJul 29, 2020
    affected >= 9.0.0, < 9.5.20fixed 9.5.20

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnera

  • CVE-2020-15098HigJul 29, 2020
    affected >= 9.0.0, < 9.5.20fixed 9.5.20

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a va

  • CVE-2020-11069HigMay 14, 2020
    affected >= 9.0.0, < 9.5.17fixed 9.5.17

    In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously mana

  • CVE-2020-11067HigMay 14, 2020
    affected >= 9.0.0, < 9.5.17fixed 9.5.17

    In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A va

  • CVE-2020-11066HigMay 14, 2020
    affected >= 9.0.0, < 9.5.17fixed 9.5.17

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering delet

  • CVE-2020-11065MedMay 13, 2020
    affected >= 10.0.0, < 10.4.2fixed 10.4.2

    In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attribu

  • CVE-2020-11064MedMay 13, 2020
    affected >= 9.0.0, < 9.5.17fixed 9.5.17

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend use

  • CVE-2020-11063LowMay 13, 2020
    affected >= 10.0.0, < 10.4.2fixed 10.4.2

    In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been

  • CVE-2019-19850HigDec 17, 2019
    affected >= 8.0, < 8.7.30fixed 8.7.30

    An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed,

  • CVE-2019-19849HigDec 17, 2019
    affected >= 10.0.0, < 10.2.1fixed 10.2.1

    An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (

  • CVE-2019-19848HigDec 17, 2019
    affected >= 10.0.0, < 10.2.2fixed 10.2.2

    An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit thi

  • CVE-2010-3673MedNov 5, 2019
    affected < 4.2.13fixed 4.2.13

    TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API.

  • CVE-2019-12748MedJul 9, 2019
    affected >= 8.0.0, < 8.7.27fixed 8.7.27

    TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.

  • CVE-2019-12747HigJul 9, 2019
    affected >= 8.0.0, < 8.7.27fixed 8.7.27

    TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.

  • CVE-2019-10912HigMay 16, 2019
    affected >= 9.0.0, < 9.5.8fixed 9.5.8

    In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is re

  • CVE-2019-11832HigMay 9, 2019
    affected >= 8.0.0, < 8.7.25fixed 8.7.25

    TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.

Page 4 of 5