Version v13.4.2
typo3/cms-core
[READ-ONLY] Subtree split of the TYPO3 Core Extension "core"
Install Instructions
composer require typo3/cms-core
Language PHP
Package URL (purl) pkg:composer/typo3/cms-core@13.4.2
Find typo3/cms-core vulnerabilities in your supply chain.
typo3/cms-core Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2010-3673 | Medium 5.3 | CWE-200 | 0.00111 | 0.45131 |
|
| CVE-2009-3633 | Medium 4.3 | CWE-352 | 0.0013 | 0.48393 |
|
| CVE-2018-14041 | Medium 6.1 | CWE-79 | 0.00353 | 0.71666 |
|
| CVE-2019-10308 | Medium 6.5 | CWE-285, CWE-862, CWE-275 | 0.00109 | 0.44758 |
|
| CVE-2018-17960 | Medium 6.1 | CWE-79 | 0.00111 | 0.45033 |
|
| CVE-2019-10912 | High 7.1 | CWE-502 | 0.00253 | 0.64287 |
|
| CVE-2019-11832 | High 7.5 | CWE-20 | 0.00671 | 0.79643 |
|
| CVE-2019-12747 | High 8.8 | CWE-502 | 0.00102 | 0.42753 |
|
| CVE-2019-19848 | High 7.2 | CWE-22 | 0.0018 | 0.55422 |
|
| CVE-2019-12748 | Medium 6.1 | CWE-79 | 0.00078 | 0.35818 |
|
| CVE-2019-19850 | High 7.2 | CWE-89 | 0.00087 | 0.38552 |
|
| CVE-2019-19849 | High 8.8 | CWE-502 | 0.00102 | 0.42753 |
|
| CVE-2020-11065 | Medium 5.4 | CWE-79 | 0.0005 | 0.21439 |
|
| CVE-2020-11064 | Medium 5.4 | CWE-79 | 0.0005 | 0.21439 |
|
| CVE-2020-11066 | High 8.7 | CWE-1321, CWE-915 | 0.00098 | 0.41839 |
|
| CVE-2020-11067 | High 8.8 | CWE-502 | 0.00196 | 0.57297 |
|
| CVE-2020-11069 | High 8 | CWE-352, CWE-346 | 0.00123 | 0.47191 |
|
| CVE-2020-15098 | High 8.8 | CWE-327, CWE-502, CWE-325, CWE-20, CWE-200 | 0.01043 | 0.83767 |
|
| CVE-2020-15241 | Medium 4.7 | CWE-601, CWE-79 | 0.00114 | 0.4557 |
|
| CVE-2020-15099 | High 8.1 | CWE-20, CWE-200 | 0.00944 | 0.82903 |
|
| CVE-2020-26227 | Medium 6.1 | CWE-79 | 0.00132 | 0.4879 |
|
| CVE-2020-26228 | High 8.1 | CWE-312 | 0.0011 | 0.44956 |
|
| CVE-2021-21338 | Medium 4.7 | CWE-601 | 0.00108 | 0.444 |
|
| CVE-2021-21339 | Medium 5.9 | CWE-312 | 0.00168 | 0.53923 |
|
| CVE-2021-21355 | High 8.6 | CWE-552, CWE-434 | 0.00102 | 0.4282 |
|
| CVE-2021-21357 | High 8.3 | CWE-20, CWE-22, CWE-434 | 0.0015 | 0.51632 |
|
| CVE-2021-21359 | Medium 5.9 | CWE-405, CWE-674 | 0.00176 | 0.54889 |
|
| CVE-2021-32667 | Medium 6.4 | CWE-79 | 0.0005 | 0.21439 |
|
| CVE-2021-21370 | Medium 5.4 | CWE-79 | 0.00061 | 0.28022 |
|
| CVE-2021-32668 | Medium 6.4 | CWE-79 | 0.0005 | 0.21439 |
|
| CVE-2021-32767 | Medium 5.3 | CWE-532 | 0.00063 | 0.2915 |
|
| CVE-2021-32669 | Medium 6.4 | CWE-79 | 0.0005 | 0.21439 |
|
| CVE-2021-32768 | Medium 6.1 | CWE-79 | 0.00066 | 0.31108 |
|
| CVE-2022-23500 | Medium 5.9 | CWE-674 | 0.00081 | 0.36527 |
|
| CVE-2022-23504 | Medium 5.7 | CWE-917, CWE-200 | 0.00089 | 0.39593 |
|
| CVE-2022-31046 | Medium 4.3 | CWE-319, CWE-200 | 0.00059 | 0.26673 |
|
| CVE-2022-31047 | Medium 5.3 | CWE-209, CWE-532 | 0.00097 | 0.41711 |
|
| CVE-2022-31050 | Medium 6 | CWE-613 | 0.00217 | 0.59386 |
|
| CVE-2022-36107 | Medium 6.5 | CWE-79 | 0.00059 | 0.26673 |
|
| CVE-2023-30451 | Medium 4.9 | CWE-22 | 0.00074 | 0.34407 |
|
| CVE-2023-47127 | Medium 5.4 | CWE-302, CWE-287, CWE-294 | 0.00061 | 0.27906 |
|
| CVE-2024-22188 | High 7.2 | CWE-94, CWE-77 | 0.00043 | 0.10859 |
|
| CVE-2024-25118 | Medium 6.5 | CWE-200 | 0.00069 | 0.32158 |
|
| CVE-2024-25119 | Medium 4.9 | CWE-200 | 0.00049 | 0.20106 |
|
| CVE-2024-25121 | High 7.1 | CWE-284, CWE-200 | 0.00049 | 0.20106 |
|
| CVE-2024-25120 | Medium 4.3 | CWE-284, CWE-200 | 0.00051 | 0.22311 |
|
| CVE-2024-34356 | Medium 5.4 | CWE-79 | 0.00045 | 0.1735 |
|
| CVE-2024-34357 | Medium 5.4 | CWE-79 | 0.00045 | 0.1735 |
|
| CVE-2024-34358 | Medium 5.3 | CWE-347, CWE-200 | 0.00045 | 0.1735 |
|
| CVE-2023-38499 | Medium 5.3 | CWE-200 | 0.00079 | 0.36146 |
|
| CVE-2020-11063 | Low 3.7 | CWE-203, CWE-204 | 0.0009 | 0.3984 |
|
| CVE-2020-26229 | Low 3.7 | CWE-611 | 0.00076 | 0.3507 |
|
| CVE-2021-21340 | Medium 5.4 | CWE-79 | 0.00061 | 0.28022 |
|
| CVE-2022-23499 | Medium 6.1 | CWE-79 | 0.00055 | 0.25287 |
|
| CVE-2022-23501 | Medium 5.9 | CWE-287 | 0.00063 | 0.2915 |
|
| CVE-2022-23502 | Medium 5.4 | CWE-613 | 0.0005 | 0.21439 |
|
| CVE-2022-23503 | High 7.5 | CWE-94 | 0.00102 | 0.42742 |
|
| CVE-2022-31048 | Medium 5.4 | CWE-79 | 0.00059 | 0.26673 |
|
| CVE-2022-31049 | Medium 5.4 | CWE-79 | 0.00059 | 0.26673 |
|
| CVE-2022-36020 | Medium 6.1 | CWE-79 | 0.0009 | 0.39667 |
|
| CVE-2022-36105 | Medium 5.3 | CWE-203 | 0.00071 | 0.3288 |
|
| CVE-2022-36106 | Medium 5.4 | CWE-287 | 0.00059 | 0.26673 |
|
| CVE-2022-36108 | Medium 6.5 | CWE-79 | 0.00071 | 0.3288 |
|
| CVE-2023-24814 | Medium 6.1 | CWE-79 | 0.0014 | 0.50111 |
|
| CVE-2021-21358 | Medium 5.4 | CWE-79 | 0.00061 | 0.28022 |
|
| CVE-2021-41114 | Medium 4.8 | CWE-644, CWE-20 | 0.00086 | 0.38335 |
|
| CVE-2022-36104 | Medium 5.9 | CWE-770 | 0.00145 | 0.50862 |
|
| CVE-2021-41113 | High 8.8 | CWE-352 | 0.00201 | 0.57683 |
|
| CVE-2024-34355 | Low 3.5 | CWE-116, CWE-79 | 0.00045 | 0.1735 |
|
typo3/cms-core Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2024-34358 | TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2024-34357 | TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2024-34356 | TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to the form module. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1 fix the problem described. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2024-34355 | TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. TYPO3 version 13.1.1 fixes the problem described. | v13.0.0, 13.0.x-dev, v13.1.0, v13.0.1 | Minor → v13.1.1 |
| CVE-2024-25121 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 version 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 which fix the problem described. When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2024-25120 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2024-25119 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this vulnerability. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2024-25118 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2024-22188 | TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2023-47127 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability has been addressed in versions 8.7.55, 9.5.44, 10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2023-38499 | TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem. | v9.5.0, v9.5.1, v9.5.2, v9.5.4, v9.5.3, v9.5.5, v9.5.6, v9.5.7 (Show all) | Major → v11.5.37 |
| CVE-2023-30451 | In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF]. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2023-24814 | TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2022-36108 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `f:asset.css` view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2022-36107 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `FileDumpController` (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account is needed to exploit this vulnerability. Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2022-36106 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the expiration time of a password reset link for TYPO3 backend users has never been evaluated. As a result, a password reset link could be used to perform a password reset even if the default expiry time of two hours has been exceeded. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2022-36105 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new `MimicServiceInterface::mimicAuthUser`, which simulates corresponding times regular processing would usually take. Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix this problem. There are no known workarounds for this issue. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2022-36104 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. Users are advised to update to TYPO3 version 11.5.16 to resolve this issue. There are no known workarounds for this issue. | v11.0.0, v11.1.0, v11.1.1, v11.2.0, v11.3.0, v11.3.1, v11.3.2, v11.4.0 (Show all) | Minor → v11.5.37 |
| CVE-2022-36020 | The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package `masterminds/html5`, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism of `typo3/html-sanitizer`. This issue has been addressed in versions 1.0.7 and 2.0.16 of the `typo3/html-sanitizer` package. Users are advised to upgrade. There are no known workarounds for this issue. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2022-31050 | TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2022-31049 | TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, user submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2022-31048 | TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. TYPO3 versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2022-31047 | TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, system internal credentials or keys (e.g. database credentials) can be logged as plaintext in exception handlers, when logging the complete exception stack trace. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 contain a fix for the problem. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2022-31046 | TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can export internal details of database tables they already have access to. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 fix the problem described above. In order to address this issue, access to mentioned export functionality is completely denied for regular backend users. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2022-23504 | TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. This issue has been patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2022-23503 | TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with access to the form module are needed to exploit this vulnerability. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2022-23502 | TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2022-23501 | TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2022-23500 | TYPO3 is an open source PHP based web content management system. In versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1, requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This vulnerability is very similar, but not identical, to the one described in CVE-2021-21359. This issue is patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20 or 12.1.1. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2022-23499 | HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. In versions prior to 1.5.0 or 2.1.1, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized due to a parsing issue in the upstream package masterminds/html5. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. The upstream package masterminds/html5 provides HTML raw text elements (`script`, `style`, `noframes`, `noembed` and `iframe`) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. This issue has been fixed in versions 1.5.0 and 2.1.1. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2021-41114 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can be forged to any value, even in a name-based virtual hosts environment. This vulnerability is the same as described in TYPO3-CORE-SA-2014-001 (CVE-2014-3941). A regression, introduced during TYPO3 v11 development, led to this situation. The already existing setting $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] (used as an effective mitigation strategy in previous TYPO3 versions) was not evaluated anymore, and reintroduced the vulnerability. | v11.0.0, v11.1.0, v11.1.1, v11.2.0, v11.3.0, v11.3.1, v11.3.2, v11.4.0 (Show all) | Minor → v11.5.37 |
| CVE-2021-41113 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as described in TYPO3-CORE-SA-2020-006 (CVE-2020-11069). However, it is not limited to the same site context and does not require the attacker to be authenticated. In a worst case scenario, the attacker could create a new admin user account to compromise the system. To successfully carry out an attack, an attacker must trick his victim to access a compromised system. The victim must have an active session in the TYPO3 backend at that time. The following Same-Site cookie settings in $GLOBALS[TYPO3_CONF_VARS][BE][cookieSameSite] are required for an attack to be successful: SameSite=strict: malicious evil.example.org invoking TYPO3 application at good.example.org and SameSite=lax or none: malicious evil.com invoking TYPO3 application at example.org. Update your instance to TYPO3 version 11.5.0 which addresses the problem described. | v11.2.0, v11.3.0, v11.3.1, v11.3.2, v11.4.0, v11.3.3, 11.3.x-dev | Minor → v11.5.37 |
| CVE-2021-32768 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2021-32767 | TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3 versions 9.5.28, 10.4.18, 11.3.1 contain a patch for this vulnerability. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2021-32669 | TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this vulnerability. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2021-32668 | TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When error messages are not properly encoded, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2021-32667 | TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2021-21370 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2021-21359 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This is fixed in versions 9.5.25, 10.4.14, 11.1.1. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2021-21358 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1. | v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0, 10.2.x-dev, v10.4.3 (Show all) | Major → v11.5.37 |
| CVE-2021-21357 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability. This is fixed in versions 8.7.40, 9.5.25, 10.4.14, 11.1.1. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2021-21355 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, _UploadedFileReferenceConverter_ transforming uploaded files into proper FileReference domain model objects handles possible file uploads for other extensions as well - given those extensions use the Extbase MVC framework, make use of FileReference items in their direct or inherited domain model definitions and did not implement their own type converter. In case this scenario applies, _UploadedFileReferenceConverter_ accepts any file mime-type and persists files in the default location. In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability. This is fixed in versions 8.7.40, 9.5.25, 10.4.14, 11.1.1. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2021-21340 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1 . | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2021-21339 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2021-21338 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-26229 | TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2020-26228 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-26227 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-15241 | TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1). | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-15099 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php, which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows the ability to completely retrieve, manipulate or delete database contents. This includes creating an administration user account - which can be used to trigger remote code execution by injecting custom extensions. This has been patched in versions 9.5.20 and 10.4.6. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-15098 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid backend user session (authenticated). This has been patched in versions 9.5.20 and 10.4.6. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-11069 | In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it's actually a same-site request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g. file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack. This has been fixed in 9.5.17 and 10.4.2. The deployment of additional mitigation techniques is suggested as described below. - Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed again by the acting user providing their password again. This technique is known as sudo mode. This way, unintended actions happening in the background can be mitigated. - https://github.com/FriendsOfTYPO3/sudo-mode - https://extensions.typo3.org/extension/sudo_mode - Content Security Policy Content Security Policies tell (modern) browsers how resources served a particular site are handled. It is also possible to disallow script executions for specific locations. In a TYPO3 context, it is suggested to disallow direct script execution at least for locations /fileadmin/ and /uploads/. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-11067 | In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-11066 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. This has been fixed in 9.5.17 and 10.4.2. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-11065 | In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly. This has been fixed in 9.5.17 and 10.4.2. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-11064 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2020-11063 | In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2. | v10.0.0, v10.1.0, v10.2.0, v10.2.1, v10.2.2, v10.4.0, v10.4.1, v10.3.0 (Show all) | Major → v11.5.37 |
| CVE-2019-19850 | An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2019-19849 | An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2019-19848 | An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.) | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2019-12748 | TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2019-12747 | TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2019-11832 | TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2019-10912 | In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2019-10308 | A missing permission check in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers with Overall/Read permission to change the per-job default graph configuration for all users. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2018-17960 | CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2018-14041 | In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. | v9.0.0, v9.1.0, v9.2.0, v9.3.0, v9.3.2, v9.3.1, v9.3.3, v9.5.0 (Show all) | Major → v11.5.37 |
| CVE-2010-3673 | TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API. | dev-main | Patch → v11.5.37 |
| CVE-2009-3633 | Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm. | dev-main | Patch → v11.5.37 |
Instantly see if these typo3/cms-core vulnerabilities affect your code.