VYPR

Packagist (Composer) package

typo3/cms

pkg:composer/typo3/cms

Vulnerabilities (116)

  • CVE-2020-11069May 13, 2020
    affected >= 10.0.0, < 10.4.2fixed 10.4.2

    In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously mana

  • CVE-2020-11067May 13, 2020
    affected >= 10.0.0, < 10.4.2fixed 10.4.2

    In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A va

  • CVE-2020-11066May 13, 2020
    affected >= 10.0.0, < 10.4.2fixed 10.4.2

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering delet

  • CVE-2020-11065May 13, 2020
    affected >= 10.0.0, < 10.4.2fixed 10.4.2

    In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attribu

  • CVE-2020-11064May 13, 2020
    affected >= 10.0.0, < 10.4.2fixed 10.4.2

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend use

  • CVE-2020-11063May 13, 2020
    affected >= 10.0.0, < 10.4.2fixed 10.4.2

    In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been

  • CVE-2020-8091Jan 27, 2020
    affected >= 7.0.0, < 7.2.0fixed 7.2.0

    svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname.

  • CVE-2019-19849Dec 17, 2019
    affected >= 10.0.0, < 10.2.1fixed 10.2.1

    An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (

  • CVE-2019-19850Dec 17, 2019
    affected >= 8.0, < 8.7.30fixed 8.7.30

    An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed,

  • CVE-2019-19848Dec 17, 2019
    affected >= 10.0.0, < 10.2.2fixed 10.2.2

    An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit thi

  • CVE-2011-3583Nov 25, 2019
    affected >= 4.5.0, <= 4.5.5

    It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two co

  • CVE-2011-4904Nov 6, 2019
    affected < 4.4.9fixed 4.4.9

    TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services.

  • CVE-2011-4903Nov 6, 2019
    affected < 4.3.12fixed 4.3.12

    Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function.

  • CVE-2011-4902Nov 6, 2019
    affected < 4.3.12fixed 4.3.12

    TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver.

  • CVE-2011-4901Nov 6, 2019
    affected < 4.3.12fixed 4.3.12

    TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database.

  • CVE-2011-4900Nov 6, 2019
    affected < 4.5.4fixed 4.5.4

    TYPO3 before 4.5.4 allows Information Disclosure in the backend.

  • CVE-2011-4632Nov 6, 2019
    affected < 4.3.12fixed 4.3.12

    Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message.

  • CVE-2011-4630Nov 6, 2019
    affected >= 4.5.0, < 4.5.4fixed 4.5.4

    Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the browse_links wizard.

  • CVE-2011-4628Nov 6, 2019
    affected < 4.3.12fixed 4.3.12

    TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted request.

  • CVE-2011-4627Nov 6, 2019
    affected < 4.3.12fixed 4.3.12

    TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the backend.

Page 3 of 6