Version v7.6.24

typo3/cms

[READ-ONLY] Subtree split of the TYPO3 Core Extension "frontend"

Install Instructions

composer require typo3/cms
Language PHP

Find typo3/cms vulnerabilities in your supply chain.

Scan for Free

typo3/cms Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2010-1022 High 7.5 CWE-287 0.00749 0.8144
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2011-4628 High 9.8 CWE-287 0.00714 0.80959
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2011-4627 Medium 6.5 CWE-200 0.00063 0.28244
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2011-4630 Medium 5.4 CWE-79 0.00064 0.29344
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2011-4632 Medium 5.4 CWE-79 0.00064 0.29344
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2011-4900 Medium 6.5 CWE-200 0.00058 0.25985
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2011-4901 Medium 6.5 CWE-200 0.00117 0.46764
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2011-4903 Medium 6.1 CWE-79 0.00124 0.4794
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2011-4902 Medium 6.5 CWE-20 0.00087 0.38328
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2011-4904 Medium 6.5 CWE-20 0.00115 0.46342
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2014-3945 Medium 4 CWE-287 0.00264 0.66572
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2018-6905 Medium 4.8 CWE-79 0.00075 0.33558
  • v9.0.0
  • v8.7.3–v8.7.9
  • v7.6.20–v7.6.24
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
  • 8.0.0–8.7.10
  • 7.0.0–7.6.23
  • 6.2.0–6.2.31
CVE-2022-47406 High 9.8 CWE-613 0.00201 0.58541
  • dev-master
  • dev-TYPO3_8-7
  • dev-TYPO3_8-6
  • dev-TYPO3_8-5
  • dev-TYPO3_8-4
  • dev-TYPO3_8-3
  • dev-TYPO3_8-2
  • dev-TYPO3_8-1
  • dev-TYPO3_8-0
  • dev-TYPO3_7-6
  • dev-TYPO3_7-3
  • dev-TYPO3_7-0
  • dev-TYPO3_6-2
CVE-2013-4701 High 7.5 CWE-611 0.0064 0.79678
  • 6.2.0–6.2.5
CVE-2013-7341 Medium 4.3 CWE-79 0.00254 0.65786
  • 7.0.0–7.3.0
  • 6.2.0–6.2.13
CVE-2014-9508 Medium 4.3 CWE-59 0.00192 0.57669
  • 7.0.0–7.0.1
  • 6.2.0–6.2.8
CVE-2014-9509 High 7.5 CWE-20 0.00855 0.82746
  • 7.0.0–7.0.1
  • 6.2.0–6.2.8
CVE-2015-5956 Low 3.5 CWE-79 0.04664 0.92837
  • 7.0.0–7.3.1
  • 6.2.0–6.2.14
CVE-2015-8755 Medium 5.4 CWE-79 0.00084 0.36896
  • 7.0.0–7.6.0
  • 6.2.0–6.2.15
CVE-2016-4056 Medium 6.1 CWE-79 0.00166 0.54131
  • 6.2.0–6.2.18
CVE-2020-8091 Medium 6.1 CWE-79 0.002 0.58385
  • 7.0.0–7.0.2
  • 6.2.0–6.2.31
CVE-2014-3941 Medium 5 CWE-297, CWE-20 0.00591 0.78785
  • 6.2.0–6.2.2
CVE-2014-3943 Low 3.5 CWE-79 0.00104 0.43409
  • 6.2.0–6.2.2
CVE-2014-3944 Medium 5.8 CWE-287 0.00264 0.66572
  • 6.2.0–6.2.2
CVE-2014-3946 Medium 4 CWE-200 0.00118 0.47041
  • 6.2.0–6.2.2
CVE-2021-32768 Medium 6.1 CWE-79 0.00084 0.3709
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • v7.6.20–v7.6.24
  • 8.0.0–8.7.10
  • 7.0.0–7.6.23
CVE-2018-14041 Medium 6.1 CWE-79 0.00403 0.74211
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.0.0–8.7.10
CVE-2018-17960 Medium 6.1 CWE-79 0.00114 0.46055
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.0.0–8.7.10
CVE-2019-10912 High 7.1 CWE-502 0.00359 0.72762
  • v9.0.0–v9.1.0
CVE-2019-11832 High 7.5 CWE-20 0.00775 0.81808
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.0.0–8.7.10
CVE-2019-12747 High 8.8 CWE-502 0.00102 0.42821
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.0.0–8.7.10
CVE-2019-12748 Medium 6.1 CWE-79 0.00078 0.35003
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.0.0–8.7.10
CVE-2019-19848 High 7.2 CWE-22 0.0018 0.56039
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.0.0–8.7.10
CVE-2019-19849 High 8.8 CWE-502 0.00102 0.42821
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.0.0–8.7.10
CVE-2019-19850 High 7.2 CWE-89 0.00087 0.37972
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.0.0–8.7.10
CVE-2020-11064 Medium 5.4 CWE-79 0.00053 0.22411
  • v9.0.0–v9.1.0
CVE-2020-11065 Medium 5.4 CWE-79 0.00053 0.22411
  • v9.0.0–v9.1.0
CVE-2020-11066 High 10 CWE-1321, CWE-915 0.00108 0.44855
  • v9.0.0–v9.1.0
CVE-2020-11067 High 8.8 CWE-502 0.00653 0.79937
  • v9.0.0–v9.1.0
CVE-2020-11069 High 8.8 CWE-346, CWE-352 0.00082 0.36226
  • v9.0.0–v9.1.0
CVE-2020-15098 High 8.8 CWE-20, CWE-502, CWE-325, CWE-327, CWE-200 0.00318 0.71043
  • v9.0.0–v9.1.0
CVE-2020-15099 High 8.1 CWE-200, CWE-20 0.00944 0.83604
  • v9.0.0–v9.1.0
CVE-2020-15241 Medium 6.1 CWE-79 0.00117 0.46692
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.0.0–8.7.10
CVE-2020-26227 Medium 6.1 CWE-79 0.00112 0.45563
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.7.0–8.7.10
CVE-2020-26228 High 7.5 CWE-312, CWE-200 0.00131 0.49232
  • v9.0.0–v9.1.0
CVE-2021-21338 Medium 6.1 CWE-601 0.0008 0.35735
  • v9.0.0–v9.1.0
CVE-2021-21339 High 7.5 CWE-312 0.00168 0.54356
  • v9.0.0–v9.1.0
CVE-2021-21355 High 8.6 CWE-552, CWE-434 0.00102 0.42932
  • v9.0.0–v9.1.0
CVE-2021-21357 High 8.3 CWE-434, CWE-22, CWE-20 0.00109 0.45125
  • v9.0.0–v9.1.0
  • v8.7.3–v8.7.9
  • 8.0.0–8.7.10
CVE-2021-21359 High 7.5 CWE-674, CWE-405 0.00176 0.5555
  • v9.0.0–v9.1.0
CVE-2021-21370 Medium 5.4 CWE-79 0.00061 0.27386
  • v9.0.0–v9.1.0
CVE-2021-32667 Medium 5.4 CWE-79 0.00053 0.22411
  • v9.0.0–v9.1.0
CVE-2021-32668 Medium 4.8 CWE-79 0.00053 0.22411
  • v9.0.0–v9.1.0
CVE-2021-32669 Medium 5.4 CWE-79 0.00053 0.22411
  • v9.0.0–v9.1.0
CVE-2021-32767 Medium 6.5 CWE-532 0.00063 0.28244
  • v9.0.0–v9.1.0
CVE-2017-14251 High 8.8 CWE-434 0.00788 0.81971
  • v8.7.3–v8.7.4
  • v7.6.20
  • 8.0.0–8.7.2
  • 7.6.0–7.6.21
CVE-2016-5385 High 8.1 CWE-601 0.92761 0.99114
  • 8.0.0–8.2.0
CVE-2017-6370 Medium 5.3 CWE-319 0.00231 0.61688
  • 7.6.15

typo3/cms Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2022-47406 An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2021-32768 TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described. 7.3.0, 7.2.0, 7.1.0, 7.0.2, 7.0.1, 7.0.0, v9.0.0, v9.1.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2021-32767 TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3 versions 9.5.28, 10.4.18, 11.3.1 contain a patch for this vulnerability. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2021-32669 TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this vulnerability. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2021-32668 TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When error messages are not properly encoded, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2021-32667 TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2021-21370 TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2021-21359 TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This is fixed in versions 9.5.25, 10.4.14, 11.1.1. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2021-21357 TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability. This is fixed in versions 8.7.40, 9.5.25, 10.4.14, 11.1.1. v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2021-21355 TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, _UploadedFileReferenceConverter_ transforming uploaded files into proper FileReference domain model objects handles possible file uploads for other extensions as well - given those extensions use the Extbase MVC framework, make use of FileReference items in their direct or inherited domain model definitions and did not implement their own type converter. In case this scenario applies, _UploadedFileReferenceConverter_ accepts any file mime-type and persists files in the default location. In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability. This is fixed in versions 8.7.40, 9.5.25, 10.4.14, 11.1.1. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2021-21339 TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2021-21338 TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2020-8091 svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname. 6.2.4, 6.2.5, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 7.0.2, 7.0.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2020-26228 TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2020-26227 TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2020-15241 TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1). v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2020-15099 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php, which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows the ability to completely retrieve, manipulate or delete database contents. This includes creating an administration user account - which can be used to trigger remote code execution by injecting custom extensions. This has been patched in versions 9.5.20 and 10.4.6. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2020-15098 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid backend user session (authenticated). This has been patched in versions 9.5.20 and 10.4.6. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2020-11069 In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it's actually a same-site request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g. file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack. This has been fixed in 9.5.17 and 10.4.2. The deployment of additional mitigation techniques is suggested as described below. - Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed again by the acting user providing their password again. This technique is known as sudo mode. This way, unintended actions happening in the background can be mitigated. - https://github.com/FriendsOfTYPO3/sudo-mode - https://extensions.typo3.org/extension/sudo_mode - Content Security Policy Content Security Policies tell (modern) browsers how resources served a particular site are handled. It is also possible to disallow script executions for specific locations. In a TYPO3 context, it is suggested to disallow direct script execution at least for locations /fileadmin/ and /uploads/. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2020-11067 In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2020-11066 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. This has been fixed in 9.5.17 and 10.4.2. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2020-11065 In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly. This has been fixed in 9.5.17 and 10.4.2. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2020-11064 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2019-19850 An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges. v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-19849 An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges. v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-19848 An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.) v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-12748 TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-12747 TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-11832 TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick. v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-10912 In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge. v9.0.0, v9.1.0 Patch → NO_SAFE_VERSION
CVE-2018-6905 The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-17960 CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-14041 In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. v9.0.0, v9.1.0, 8.7.10, v8.7.9, v8.7.8, v8.7.4, v8.7.3, 8.7.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-6370 TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields. 7.6.15 Patch → NO_SAFE_VERSION
CVE-2017-14251 Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code. v8.7.4, v8.7.3, 8.7.2, 8.7.1, 8.7.0, 8.6.1, 8.6.0, 8.5.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2016-5385 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue. 8.2.0, 8.1.2, 8.1.0, 8.1.1, 8.0.1, 8.0.0 Patch → NO_SAFE_VERSION
CVE-2016-4056 Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers to inject arbitrary web script or HTML via the module parameter when creating a bookmark. 6.2.4, 6.2.5, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.2.11, 6.2.12 (Show all) Patch → NO_SAFE_VERSION
CVE-2015-8755 Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors. 6.2.4, 6.2.5, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 7.3.0, 7.2.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2015-5956 The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php. 6.2.4, 6.2.5, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 7.3.0, 7.2.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2014-9509 The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set to all or cached, allows remote attackers to have an unspecified impact (possibly resource consumption) via a "Cache Poisoning" attack using a URL with arbitrary arguments, which triggers a reload of the page. 6.2.4, 6.2.5, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 7.0.1, 7.0.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2014-9508 The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors. 6.2.4, 6.2.5, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 7.0.1, 7.0.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2014-3946 The query caching functionality in the Extbase Framework component in TYPO3 6.2.0 before 6.2.3 does not properly validate group permissions, which allows remote authenticated users to read arbitrary queries via unspecified vectors. 6.2.2, 6.2.1, 6.2.0 Patch → NO_SAFE_VERSION
CVE-2014-3945 The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2014-3944 The Authentication component in TYPO3 6.2.0 before 6.2.3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified vectors. 6.2.2, 6.2.1, 6.2.0 Patch → NO_SAFE_VERSION
CVE-2014-3943 Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters. 6.2.2, 6.2.1, 6.2.0 Patch → NO_SAFE_VERSION
CVE-2014-3941 TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing." 6.2.2, 6.2.1, 6.2.0 Patch → NO_SAFE_VERSION
CVE-2013-7341 Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342. 6.2.4, 6.2.5, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 7.3.0, 7.2.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2013-4701 Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. 6.2.4, 6.2.5, 6.2.3, 6.2.2, 6.2.1, 6.2.0 Patch → NO_SAFE_VERSION
CVE-2011-4904 TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2011-4903 Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2011-4902 TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2011-4901 TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2011-4900 TYPO3 before 4.5.4 allows Information Disclosure in the backend. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2011-4632 Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2011-4630 Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the browse_links wizard. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2011-4628 TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted request. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2011-4627 TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the backend. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION
CVE-2010-1022 The TYPO3 Security - Salted user password hashes (t3sec_saltedpw) extension before 0.2.13 for TYPO3 allows remote attackers to bypass authentication via unspecified vectors. dev-TYPO3_6-2, dev-TYPO3_7-0, dev-TYPO3_7-3, dev-TYPO3_7-6, dev-TYPO3_8-1, dev-TYPO3_8-0, dev-TYPO3_8-2, dev-TYPO3_8-3 (Show all) Patch → NO_SAFE_VERSION

Instantly see if these typo3/cms vulnerabilities affect your code.

Scan for Free