Typo3
by TYPO3
Source repositories
CVEs (206)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-21358 | 0.00 | — | 0.01 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the… | |||
| CVE-2021-21338 | 0.00 | — | 0.01 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and… | |||
| CVE-2020-26229 | 0.00 | — | 0.01 | Nov 23, 2020 | TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually… | |||
| CVE-2020-26228 | 0.00 | — | 0.01 | Nov 23, 2020 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly… | |||
| CVE-2020-26227 | 0.00 | — | 0.01 | Nov 23, 2020 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers.… | |||
| CVE-2020-15098 | 0.00 | — | 0.02 | Jul 29, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a… | |||
| CVE-2020-15099 | 0.00 | — | 0.02 | Jul 29, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing… | |||
| CVE-2020-11069 | 0.00 | — | 0.01 | May 13, 2020 | In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously… | |||
| CVE-2020-11067 | 0.00 | — | 0.02 | May 13, 2020 | In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A… | |||
| CVE-2020-11066 | 0.00 | — | 0.01 | May 13, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering… | |||
| CVE-2020-11065 | 0.00 | — | 0.01 | May 13, 2020 | In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML… | |||
| CVE-2020-11064 | 0.00 | — | 0.01 | May 13, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend… | |||
| CVE-2020-11063 | 0.00 | — | 0.01 | May 13, 2020 | In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has… | |||
| CVE-2011-4904 | 0.00 | — | 0.01 | Nov 6, 2019 | TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services. | |||
| CVE-2011-4903 | 0.00 | — | 0.01 | Nov 6, 2019 | Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function. | |||
| CVE-2011-4902 | 0.00 | — | 0.01 | Nov 6, 2019 | TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver. | |||
| CVE-2011-4901 | 0.00 | — | 0.01 | Nov 6, 2019 | TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database. | |||
| CVE-2011-4900 | 0.00 | — | 0.01 | Nov 6, 2019 | TYPO3 before 4.5.4 allows Information Disclosure in the backend. | |||
| CVE-2011-4632 | 0.00 | — | 0.01 | Nov 6, 2019 | Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message. | |||
| CVE-2011-4631 | 0.00 | — | 0.01 | Nov 6, 2019 | Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the system extension recycler. |
- CVE-2021-21358Mar 23, 2021risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the…
- CVE-2021-21338Mar 23, 2021risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and…
- CVE-2020-26229Nov 23, 2020risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually…
- CVE-2020-26228Nov 23, 2020risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly…
- CVE-2020-26227Nov 23, 2020risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers.…
- CVE-2020-15098Jul 29, 2020risk 0.00cvss —epss 0.02
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a…
- CVE-2020-15099Jul 29, 2020risk 0.00cvss —epss 0.02
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing…
- CVE-2020-11069May 13, 2020risk 0.00cvss —epss 0.01
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously…
- CVE-2020-11067May 13, 2020risk 0.00cvss —epss 0.02
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A…
- CVE-2020-11066May 13, 2020risk 0.00cvss —epss 0.01
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering…
- CVE-2020-11065May 13, 2020risk 0.00cvss —epss 0.01
In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML…
- CVE-2020-11064May 13, 2020risk 0.00cvss —epss 0.01
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend…
- CVE-2020-11063May 13, 2020risk 0.00cvss —epss 0.01
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has…
- CVE-2011-4904Nov 6, 2019risk 0.00cvss —epss 0.01
TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services.
- CVE-2011-4903Nov 6, 2019risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function.
- CVE-2011-4902Nov 6, 2019risk 0.00cvss —epss 0.01
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver.
- CVE-2011-4901Nov 6, 2019risk 0.00cvss —epss 0.01
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database.
- CVE-2011-4900Nov 6, 2019risk 0.00cvss —epss 0.01
TYPO3 before 4.5.4 allows Information Disclosure in the backend.
- CVE-2011-4632Nov 6, 2019risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message.
- CVE-2011-4631Nov 6, 2019risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the system extension recycler.
Page 6 of 11