Packagist (Composer) package
typo3/cms-core
pkg:composer/typo3/cms-core
Vulnerabilities (92)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-17960 | Med | 6.1 | >= 8.0.0, < 8.7.21 | 8.7.21 | Nov 14, 2018 | CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. | |
| CVE-2018-14041 | Med | 6.1 | >= 8.0.0, < 8.7.23 | 8.7.23 | Jul 13, 2018 | In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. | |
| CVE-2013-4320 | — | >= 6.0, < 6.0.9 | 6.0.9 | May 20, 2014 | The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 does not properly check permissions, which allows remote authenticated users to create or read arbitrary files via a crafted URL. | ||
| CVE-2013-7078 | — | >= 4.5.0, < 4.5.31 | 4.5.31 | Jan 19, 2014 | Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows | ||
| CVE-2013-7081 | — | >= 4.5.0, < 4.5.31 | 4.5.31 | Dec 23, 2013 | The (old) Form Content Element component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated editors to generate arbitrary HMAC signatures and bypass intended access restrictions via unspecified vectors. | ||
| CVE-2013-7080 | — | >= 4.5.0, < 4.5.31 | 4.5.31 | Dec 23, 2013 | The creating record functionality in Extension table administration library (feuser_adminLib.inc) in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, and 6.0.0 through 6.0.11 allows remote attackers to write to arbitrary fields in the configuration database table via crafted lin | ||
| CVE-2013-7077 | — | >= 6.0, < 6.0.12 | 6.0.12 | Dec 21, 2013 | Cross-site scripting (XSS) vulnerability in the Backend User Administration Module in TYPO3 6.0.x before 6.0.12 and 6.1.x before 6.1.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2013-1843 | — | >= 4.5.0, < 4.5.24 | 4.5.24 | Mar 20, 2013 | Open redirect vulnerability in the Access tracking mechanism in TYPO3 4.5.x before 4.5.24, 4.6.x before 4.6.17, 4.7.x before 4.7.9, and 6.0.x before 6.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | ||
| CVE-2013-1842 | — | >= 4.5.0, < 4.5.24 | 4.5.24 | Mar 20, 2013 | SQL injection vulnerability in the Extbase Framework in TYPO3 4.5.x before 4.5.24, 4.6.x before 4.6.17, 4.7.x before 4.7.9, and 6.0.x before 6.0.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "the Query Object Model and relation va | ||
| CVE-2010-5104 | — | >= 4.2.0, < 4.2.16 | 4.2.16 | May 21, 2012 | The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characte | ||
| CVE-2009-3633 | — | <= 4.0.13 | — | Nov 2, 2009 | Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to | ||
| CVE-2008-2717 | — | >= 4.0.0, < 4.0.9 | 4.0.9 | Jun 16, 2008 | TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload atta |
- affected >= 8.0.0, < 8.7.21fixed 8.7.21
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
- affected >= 8.0.0, < 8.7.23fixed 8.7.23
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
- CVE-2013-4320May 20, 2014affected >= 6.0, < 6.0.9fixed 6.0.9
The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 does not properly check permissions, which allows remote authenticated users to create or read arbitrary files via a crafted URL.
- CVE-2013-7078Jan 19, 2014affected >= 4.5.0, < 4.5.31fixed 4.5.31
Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows
- CVE-2013-7081Dec 23, 2013affected >= 4.5.0, < 4.5.31fixed 4.5.31
The (old) Form Content Element component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated editors to generate arbitrary HMAC signatures and bypass intended access restrictions via unspecified vectors.
- CVE-2013-7080Dec 23, 2013affected >= 4.5.0, < 4.5.31fixed 4.5.31
The creating record functionality in Extension table administration library (feuser_adminLib.inc) in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, and 6.0.0 through 6.0.11 allows remote attackers to write to arbitrary fields in the configuration database table via crafted lin
- CVE-2013-7077Dec 21, 2013affected >= 6.0, < 6.0.12fixed 6.0.12
Cross-site scripting (XSS) vulnerability in the Backend User Administration Module in TYPO3 6.0.x before 6.0.12 and 6.1.x before 6.1.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2013-1843Mar 20, 2013affected >= 4.5.0, < 4.5.24fixed 4.5.24
Open redirect vulnerability in the Access tracking mechanism in TYPO3 4.5.x before 4.5.24, 4.6.x before 4.6.17, 4.7.x before 4.7.9, and 6.0.x before 6.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- CVE-2013-1842Mar 20, 2013affected >= 4.5.0, < 4.5.24fixed 4.5.24
SQL injection vulnerability in the Extbase Framework in TYPO3 4.5.x before 4.5.24, 4.6.x before 4.6.17, 4.7.x before 4.7.9, and 6.0.x before 6.0.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "the Query Object Model and relation va
- CVE-2010-5104May 21, 2012affected >= 4.2.0, < 4.2.16fixed 4.2.16
The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characte
- CVE-2009-3633Nov 2, 2009affected <= 4.0.13
Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to
- CVE-2008-2717Jun 16, 2008affected >= 4.0.0, < 4.0.9fixed 4.0.9
TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload atta
Page 5 of 5