Packagist (Composer) package
typo3/cms
pkg:composer/typo3/cms
Vulnerabilities (116)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-3943 | — | >= 4.5.0, < 4.5.34 | 4.5.34 | Jun 3, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via u | ||
| CVE-2014-3942 | — | >= 4.5.0, < 4.5.34 | 4.5.34 | Jun 3, 2014 | The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object. | ||
| CVE-2014-3941 | — | >= 4.5.0, < 4.5.34 | 4.5.34 | Jun 3, 2014 | TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing." | ||
| CVE-2013-4321 | — | >= 6.0.0, < 6.0.9 | 6.0.9 | May 20, 2014 | The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete f | ||
| CVE-2013-4250 | — | >= 6.0.0, < 6.0.8 | 6.0.8 | May 20, 2014 | The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file. | ||
| CVE-2012-6146 | — | >= 4.5, < 4.5.21 | 4.5.21 | May 20, 2014 | The Backend History Module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 does not properly restrict access, which allows remote authenticated editors to read the history of arbitrary records via a crafted URL. | ||
| CVE-2013-7341 | — | >= 6.2.0, < 6.2.14 | 6.2.14 | Mar 24, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted player | ||
| CVE-2013-7075 | — | >= 4.5.0, < 4.5.32 | 4.5.32 | Dec 23, 2013 | The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified imp | ||
| CVE-2013-7073 | — | >= 4.5.0, < 4.5.32 | 4.5.32 | Dec 23, 2013 | The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters. | ||
| CVE-2013-7074 | — | >= 4.5.0, < 4.5.32 | 4.5.32 | Dec 21, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in Content Editing Wizards in TYPO3 4.5.x before 4.5.32, 4.7.x before 4.7.17, 6.0.x before 6.0.12, 6.1.x before 6.1.7, and the development versions of 6.2 allow remote authenticated users to inject arbitrary web script or HTML v | ||
| CVE-2013-4701 | — | >= 6.2.0, < 6.2.6 | 6.2.6 | Aug 21, 2013 | Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction wit | ||
| CVE-2012-6148 | — | >= 4.5.0, < 4.5.21 | 4.5.21 | Jul 1, 2013 | Cross-site scripting (XSS) vulnerability in the function menu API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2012-6147 | — | >= 4.5.0, < 4.5.21 | 4.5.21 | Jul 1, 2013 | Cross-site scripting (XSS) vulnerability in the tree render API (TCA-Tree) in the Backend API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2012-6145 | — | >= 4.5.0, < 4.5.21 | 4.5.21 | Jul 1, 2013 | Cross-site scripting (XSS) vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2012-6144 | — | >= 4.5.0, < 4.5.21 | 4.5.21 | Jul 1, 2013 | SQL injection vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2012-3531 | — | >= 4.5, < 4.5.19 | 4.5.19 | Sep 5, 2012 | Cross-site scripting (XSS) vulnerability in the Install Tool in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2012-3530 | — | >= 4.5, < 4.5.19 | 4.5.19 | Sep 5, 2012 | Incomplete blacklist vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain HTML5 JavaScript events. | ||
| CVE-2012-3529 | — | >= 4.5, < 4.5.19 | 4.5.19 | Sep 5, 2012 | The configuration module in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to obtain the encryption key via unspecified vectors. | ||
| CVE-2012-3528 | — | >= 4.5, < 4.5.19 | 4.5.19 | Sep 5, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2012-3527 | — | >= 4.5.0, < 4.5.19 | 4.5.19 | Sep 5, 2012 | view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing |
- CVE-2014-3943Jun 3, 2014affected >= 4.5.0, < 4.5.34fixed 4.5.34
Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via u
- CVE-2014-3942Jun 3, 2014affected >= 4.5.0, < 4.5.34fixed 4.5.34
The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object.
- CVE-2014-3941Jun 3, 2014affected >= 4.5.0, < 4.5.34fixed 4.5.34
TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing."
- CVE-2013-4321May 20, 2014affected >= 6.0.0, < 6.0.9fixed 6.0.9
The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete f
- CVE-2013-4250May 20, 2014affected >= 6.0.0, < 6.0.8fixed 6.0.8
The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file.
- CVE-2012-6146May 20, 2014affected >= 4.5, < 4.5.21fixed 4.5.21
The Backend History Module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 does not properly restrict access, which allows remote authenticated editors to read the history of arbitrary records via a crafted URL.
- CVE-2013-7341Mar 24, 2014affected >= 6.2.0, < 6.2.14fixed 6.2.14
Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted player
- CVE-2013-7075Dec 23, 2013affected >= 4.5.0, < 4.5.32fixed 4.5.32
The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified imp
- CVE-2013-7073Dec 23, 2013affected >= 4.5.0, < 4.5.32fixed 4.5.32
The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters.
- CVE-2013-7074Dec 21, 2013affected >= 4.5.0, < 4.5.32fixed 4.5.32
Multiple cross-site scripting (XSS) vulnerabilities in Content Editing Wizards in TYPO3 4.5.x before 4.5.32, 4.7.x before 4.7.17, 6.0.x before 6.0.12, 6.1.x before 6.1.7, and the development versions of 6.2 allow remote authenticated users to inject arbitrary web script or HTML v
- CVE-2013-4701Aug 21, 2013affected >= 6.2.0, < 6.2.6fixed 6.2.6
Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction wit
- CVE-2012-6148Jul 1, 2013affected >= 4.5.0, < 4.5.21fixed 4.5.21
Cross-site scripting (XSS) vulnerability in the function menu API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2012-6147Jul 1, 2013affected >= 4.5.0, < 4.5.21fixed 4.5.21
Cross-site scripting (XSS) vulnerability in the tree render API (TCA-Tree) in the Backend API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2012-6145Jul 1, 2013affected >= 4.5.0, < 4.5.21fixed 4.5.21
Cross-site scripting (XSS) vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2012-6144Jul 1, 2013affected >= 4.5.0, < 4.5.21fixed 4.5.21
SQL injection vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to execute arbitrary SQL commands via unspecified vectors.
- CVE-2012-3531Sep 5, 2012affected >= 4.5, < 4.5.19fixed 4.5.19
Cross-site scripting (XSS) vulnerability in the Install Tool in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2012-3530Sep 5, 2012affected >= 4.5, < 4.5.19fixed 4.5.19
Incomplete blacklist vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain HTML5 JavaScript events.
- CVE-2012-3529Sep 5, 2012affected >= 4.5, < 4.5.19fixed 4.5.19
The configuration module in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to obtain the encryption key via unspecified vectors.
- CVE-2012-3528Sep 5, 2012affected >= 4.5, < 4.5.19fixed 4.5.19
Multiple cross-site scripting (XSS) vulnerabilities in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2012-3527Sep 5, 2012affected >= 4.5.0, < 4.5.19fixed 4.5.19
view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing
Page 5 of 6