Packagist (Composer) package

typo3/cms

pkg:composer/typo3/cms

Vulnerabilities (116)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2012-1608	—	>= 4.4.0, < 4.4.14	4.4.14	Sep 4, 2012	The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable characters.
CVE-2012-1607	—	>= 4.4.0, <= 4.4.13	—	Sep 4, 2012	The Command Line Interface (CLI) script in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to obtain the database name via a direct request.
CVE-2012-1606	—	>= 4.4.0, < 4.4.14	4.4.14	Sep 4, 2012	Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-1605	—	>= 4.6, < 4.6.7	4.6.7	Sep 4, 2012	The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature (HMAC) for a request argument."
CVE-2012-2112	—	>= 4.4, < 4.4.15	4.4.15	Aug 27, 2012	Cross-site scripting (XSS) vulnerability in the Exception Handler in TYPO3 4.4.x before 4.4.15, 4.5.x before 4.5.15, 4.6.x before 4.6.8, and 4.7 allows remote attackers to inject arbitrary web script or HTML via exception messages.
CVE-2010-5099	—	>= 4.2.0, < 4.2.16	4.2.16	May 30, 2012	The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP f
CVE-2010-5103	—	>= 4.2.0, < 4.2.16	4.2.16	May 21, 2012	SQL injection vulnerability in the list module in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via unspecified vectors.
CVE-2010-5101	—	>= 4.2.0, < 4.2.16	4.2.16	May 21, 2012	Directory traversal vulnerability in the TypoScript setup in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated administrators to read arbitrary files via unspecified vectors related to the "file inclusion functionality."
CVE-2010-3714	—	>= 4.2.0, < 4.2.15	4.2.15	Oct 25, 2010	The jumpUrl (aka access tracking) implementation in tslib/class.tslib_fe.php in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary fil
CVE-2010-1153	—	>= 4.3.0, < 4.3.3	4.3.3	Apr 20, 2010	PHP remote file inclusion vulnerability in the autoloader in TYPO3 4.3.x before 4.3.3 allows remote attackers to execute arbitrary PHP code via a URL in an input field associated with the className variable.
CVE-2009-3635	—	<= 4.0.13	—	Nov 2, 2009	The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.
CVE-2009-0816	—	>= 3.3.0	—	Mar 5, 2009	Multiple cross-site scripting (XSS) vulnerabilities in the backend user interface in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields.
CVE-2009-0815	—	>= 3.3, < 4.0.12	4.0.12	Mar 5, 2009	The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a reque
CVE-2009-0258	—	>= 4.0.0, < 4.0.10	4.0.10	Jan 22, 2009	The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by th
CVE-2009-0256	—	>= 4.0.0, < 4.0.10	4.0.10	Jan 22, 2009	Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.
CVE-2005-4875	—	< 3.8.1	3.8.1	Dec 31, 2005	TYPO3 3.8.0 and earlier allows remote attackers to obtain sensitive information via a direct request to misc/phpcheck/, which invokes the phpinfo function and prints values of unspecified environment variables.

CVE-2012-1608Sep 4, 2012
affected >= 4.4.0, < 4.4.14fixed 4.4.14
The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable characters.
CVE-2012-1607Sep 4, 2012
affected >= 4.4.0, <= 4.4.13
The Command Line Interface (CLI) script in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to obtain the database name via a direct request.
CVE-2012-1606Sep 4, 2012
affected >= 4.4.0, < 4.4.14fixed 4.4.14
Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-1605Sep 4, 2012
affected >= 4.6, < 4.6.7fixed 4.6.7
The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature (HMAC) for a request argument."
CVE-2012-2112Aug 27, 2012
affected >= 4.4, < 4.4.15fixed 4.4.15
Cross-site scripting (XSS) vulnerability in the Exception Handler in TYPO3 4.4.x before 4.4.15, 4.5.x before 4.5.15, 4.6.x before 4.6.8, and 4.7 allows remote attackers to inject arbitrary web script or HTML via exception messages.
CVE-2010-5099May 30, 2012
affected >= 4.2.0, < 4.2.16fixed 4.2.16
The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP f
CVE-2010-5103May 21, 2012
affected >= 4.2.0, < 4.2.16fixed 4.2.16
SQL injection vulnerability in the list module in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via unspecified vectors.
CVE-2010-5101May 21, 2012
affected >= 4.2.0, < 4.2.16fixed 4.2.16
Directory traversal vulnerability in the TypoScript setup in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated administrators to read arbitrary files via unspecified vectors related to the "file inclusion functionality."
CVE-2010-3714Oct 25, 2010
affected >= 4.2.0, < 4.2.15fixed 4.2.15
The jumpUrl (aka access tracking) implementation in tslib/class.tslib_fe.php in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary fil
CVE-2010-1153Apr 20, 2010
affected >= 4.3.0, < 4.3.3fixed 4.3.3
PHP remote file inclusion vulnerability in the autoloader in TYPO3 4.3.x before 4.3.3 allows remote attackers to execute arbitrary PHP code via a URL in an input field associated with the className variable.
CVE-2009-3635Nov 2, 2009
affected <= 4.0.13
The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.
CVE-2009-0816Mar 5, 2009
affected >= 3.3.0
Multiple cross-site scripting (XSS) vulnerabilities in the backend user interface in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields.
CVE-2009-0815Mar 5, 2009
affected >= 3.3, < 4.0.12fixed 4.0.12
The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a reque
CVE-2009-0258Jan 22, 2009
affected >= 4.0.0, < 4.0.10fixed 4.0.10
The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by th
CVE-2009-0256Jan 22, 2009
affected >= 4.0.0, < 4.0.10fixed 4.0.10
Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.
CVE-2005-4875Dec 31, 2005
affected < 3.8.1fixed 3.8.1
TYPO3 3.8.0 and earlier allows remote attackers to obtain sensitive information via a direct request to misc/phpcheck/, which invokes the phpinfo function and prints values of unspecified environment variables.

Page 6 of 6