VYPR

Vendor CVEs

TYPO3

All CVEs

539 total · sorted by risk
  • CVE-2022-36106Sep 13, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the expiration time of a password reset link for TYPO3 backend users has never been evaluated. As a result, a password reset link could be used to perform a…

  • CVE-2022-36107Sep 13, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `FileDumpController` (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid…

  • CVE-2022-36104Sep 13, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another…

  • CVE-2022-36108Sep 13, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `f:asset.css` view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. Update to TYPO3 version 10.4.32 or…

  • CVE-2022-29600Jul 12, 2022
    risk 0.00cvss epss 0.01

    The oelib (aka One is Enough Library) extension through 4.1.5 for TYPO3 allows SQL Injection.

  • CVE-2022-29601Jul 12, 2022
    risk 0.00cvss epss 0.01

    The seminars (aka Seminar Manager) extension through 4.1.3 for TYPO3 allows SQL Injection.

  • CVE-2022-31050Jun 14, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or…

  • CVE-2022-31048Jun 14, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is…

  • CVE-2022-31049Jun 14, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, user submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those…

  • CVE-2022-31046Jun 14, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can…

  • CVE-2022-31047Jun 14, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, system internal credentials or keys (e.g. database credentials) can be logged as plaintext in exception handlers, when logging the complete…

  • CVE-2022-28543Apr 11, 2022
    risk 0.00cvss epss 0.00

    Path traversal vulnerability in Samsung Flow prior to version 4.8.07.4 allows local attackers to read arbitrary files as Samsung Flow permission.

  • CVE-2022-24979Feb 19, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in the Varnishcache extension before 2.0.1 for TYPO3. The Edge Site Includes (ESI) content element renderer component does not include an access check. This allows an unauthenticated user to render various content elements, resulting in insecure direct…

  • CVE-2021-43563Nov 10, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the pixxio (aka pixx.io integration or DAM) extension before 1.0.6 for TYPO3. The Access Control in the bundled media browser is broken, which allows an unauthenticated attacker to perform requests to the pixx.io API for the configured API user. This…

  • CVE-2021-43562Nov 10, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the pixxio (aka pixx.io integration or DAM) extension before 1.0.6 for TYPO3. The extension fails to restrict the image download to the configured pixx.io DAM URL, resulting in SSRF. As a result, an attacker can download various content from a remote…

  • CVE-2021-41113Oct 5, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The…

  • CVE-2021-41114Oct 5, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate…

  • CVE-2021-36792Aug 13, 2021
    risk 0.00cvss epss 0.01

    The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 has incorrect Access Control for confirming various applications.

  • CVE-2021-36791Aug 13, 2021
    risk 0.00cvss epss 0.01

    The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows Information Disclosure of application registration data.

  • CVE-2021-36790Aug 13, 2021
    risk 0.00cvss epss 0.01

    The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows XSS.

  • CVE-2021-36789Aug 13, 2021
    risk 0.00cvss epss 0.01

    The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows SQL Injection.

  • CVE-2021-32768Aug 10, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site…

  • CVE-2021-32767Jul 20, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default…

  • CVE-2021-32669Jul 20, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view…

  • CVE-2021-32668Jul 20, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When error messages are not properly encoded, the components _QueryGenerator_ and…

  • CVE-2021-32667Jul 20, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module…

  • CVE-2021-21359Mar 23, 2021
    risk 0.00cvss epss 0.02

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another…

  • CVE-2021-21370Mar 23, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the…

  • CVE-2021-21339Mar 23, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability…

  • CVE-2021-21340Mar 23, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user…

  • CVE-2021-21355Mar 23, 2021
    risk 0.00cvss epss 0.02

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions -…

  • CVE-2021-21357Mar 23, 2021
    risk 0.00cvss epss 0.02

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of…

  • CVE-2021-21358Mar 23, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the…

  • CVE-2021-21338Mar 23, 2021
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and…

  • CVE-2020-26229Nov 23, 2020
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually…

  • CVE-2020-26228Nov 23, 2020
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly…

  • CVE-2020-26227Nov 23, 2020
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers.…

  • CVE-2020-28917Nov 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in the view_statistics (aka View frontend statistics) extension before 2.0.1 for TYPO3. It saves all GET and POST data of TYPO3 frontend requests to the database. Depending on the extensions used on a TYPO3 website, sensitive data (e.g., cleartext…

  • CVE-2020-15098Jul 29, 2020
    risk 0.00cvss epss 0.02

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a…

  • CVE-2020-15099Jul 29, 2020
    risk 0.00cvss epss 0.02

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing…

  • CVE-2020-15516Jul 7, 2020
    risk 0.00cvss epss 0.00

    The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF.

  • CVE-2020-11069May 13, 2020
    risk 0.00cvss epss 0.01

    In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously…

  • CVE-2020-11067May 13, 2020
    risk 0.00cvss epss 0.02

    In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A…

  • CVE-2020-11066May 13, 2020
    risk 0.00cvss epss 0.01

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering…

  • CVE-2020-11065May 13, 2020
    risk 0.00cvss epss 0.01

    In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML…

  • CVE-2020-11064May 13, 2020
    risk 0.00cvss epss 0.01

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend…

  • CVE-2020-11063May 13, 2020
    risk 0.00cvss epss 0.01

    In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has…

  • CVE-2011-3584Nov 25, 2019
    risk 0.00cvss epss 0.01

    The TYPO3 Core wec_discussion extension before 2.1.1 is vulnerable to SQL Injection due to improper sanitation of user-supplied input.

  • CVE-2011-3583Nov 25, 2019
    risk 0.00cvss epss 0.01

    It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two…

  • CVE-2011-4904Nov 6, 2019
    risk 0.00cvss epss 0.01

    TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services.

Page 3 of 11