Packagist (Composer) package
typo3/cms
pkg:composer/typo3/cms
Vulnerabilities (116)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-41114 | — | >= 11.0.0, < 11.5.0 | 11.5.0 | Oct 5, 2021 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute | ||
| CVE-2021-32768 | — | >= 10.0.0, < 10.4.19 | 10.4.19 | Aug 10, 2021 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting | ||
| CVE-2021-32767 | — | >= 10.0.0, < 10.4.18 | 10.4.18 | Jul 20, 2021 | TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default config | ||
| CVE-2021-32669 | — | >= 10.0.0, < 10.4.18 | 10.4.18 | Jul 20, 2021 | TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view i | ||
| CVE-2021-32668 | — | >= 10.0.0, < 10.4.18 | 10.4.18 | Jul 20, 2021 | TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When error messages are not properly encoded, the components _QueryGenerator_ and _QueryVie | ||
| CVE-2021-32667 | — | >= 10.0.0, < 10.4.18 | 10.4.18 | Jul 20, 2021 | TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module ( | ||
| CVE-2021-21359 | — | >= 10.0.0, < 10.4.14 | 10.4.14 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another pag | ||
| CVE-2021-21370 | — | >= 10.0.0, < 10.4.14 | 10.4.14 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the pa | ||
| CVE-2021-21339 | — | >= 10.0.0, < 10.4.14 | 10.4.14 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cann | ||
| CVE-2021-21340 | — | >= 10.0.0, < 10.4.14 | 10.4.14 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account | ||
| CVE-2021-21355 | — | >= 10.0.0, < 10.4.14 | 10.4.14 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - how | ||
| CVE-2021-21357 | — | >= 10.0.0, < 10.4.14 | 10.4.14 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of th | ||
| CVE-2021-21358 | — | >= 10.0.0, < 10.4.14 | 10.4.14 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form | ||
| CVE-2021-21338 | — | >= 10.0.0, < 10.4.14 | 10.4.14 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and con | ||
| CVE-2020-26229 | — | >= 10.0.0, < 10.4.10 | 10.4.10 | Nov 23, 2020 | TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reprodu | ||
| CVE-2020-26228 | — | >= 10.0.0, < 10.4.10 | 10.4.10 | Nov 23, 2020 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly an | ||
| CVE-2020-26227 | — | >= 10.0.0, < 10.4.10 | 10.4.10 | Nov 23, 2020 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update | ||
| CVE-2020-15241 | — | >= 8.0.0, < 8.7.25 | 8.7.25 | Oct 8, 2020 | TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versio | ||
| CVE-2020-15098 | — | >= 10.0.0, < 10.4.6 | 10.4.6 | Jul 29, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a va | ||
| CVE-2020-15099 | — | >= 10.0.0, < 10.4.6 | 10.4.6 | Jul 29, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnera |
- CVE-2021-41114Oct 5, 2021affected >= 11.0.0, < 11.5.0fixed 11.5.0
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute
- CVE-2021-32768Aug 10, 2021affected >= 10.0.0, < 10.4.19fixed 10.4.19
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting
- CVE-2021-32767Jul 20, 2021affected >= 10.0.0, < 10.4.18fixed 10.4.18
TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default config
- CVE-2021-32669Jul 20, 2021affected >= 10.0.0, < 10.4.18fixed 10.4.18
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view i
- CVE-2021-32668Jul 20, 2021affected >= 10.0.0, < 10.4.18fixed 10.4.18
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When error messages are not properly encoded, the components _QueryGenerator_ and _QueryVie
- CVE-2021-32667Jul 20, 2021affected >= 10.0.0, < 10.4.18fixed 10.4.18
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module (
- CVE-2021-21359Mar 23, 2021affected >= 10.0.0, < 10.4.14fixed 10.4.14
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another pag
- CVE-2021-21370Mar 23, 2021affected >= 10.0.0, < 10.4.14fixed 10.4.14
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the pa
- CVE-2021-21339Mar 23, 2021affected >= 10.0.0, < 10.4.14fixed 10.4.14
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cann
- CVE-2021-21340Mar 23, 2021affected >= 10.0.0, < 10.4.14fixed 10.4.14
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account
- CVE-2021-21355Mar 23, 2021affected >= 10.0.0, < 10.4.14fixed 10.4.14
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - how
- CVE-2021-21357Mar 23, 2021affected >= 10.0.0, < 10.4.14fixed 10.4.14
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of th
- CVE-2021-21358Mar 23, 2021affected >= 10.0.0, < 10.4.14fixed 10.4.14
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form
- CVE-2021-21338Mar 23, 2021affected >= 10.0.0, < 10.4.14fixed 10.4.14
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and con
- CVE-2020-26229Nov 23, 2020affected >= 10.0.0, < 10.4.10fixed 10.4.10
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reprodu
- CVE-2020-26228Nov 23, 2020affected >= 10.0.0, < 10.4.10fixed 10.4.10
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly an
- CVE-2020-26227Nov 23, 2020affected >= 10.0.0, < 10.4.10fixed 10.4.10
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update
- CVE-2020-15241Oct 8, 2020affected >= 8.0.0, < 8.7.25fixed 8.7.25
TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versio
- CVE-2020-15098Jul 29, 2020affected >= 10.0.0, < 10.4.6fixed 10.4.6
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a va
- CVE-2020-15099Jul 29, 2020affected >= 10.0.0, < 10.4.6fixed 10.4.6
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnera
Page 2 of 6