Filtered by vendor Typo3
Subscriptions
Total
486 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-11065 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 5.4 Medium |
In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly. This has been fixed in 9.5.17 and 10.4.2. | ||||
CVE-2020-11064 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 5.4 Medium |
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. | ||||
CVE-2019-19850 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 7.2 High |
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges. | ||||
CVE-2019-19849 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 8.8 High |
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges. | ||||
CVE-2019-19848 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 7.2 High |
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.) | ||||
CVE-2019-12748 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.1 Medium |
TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. | ||||
CVE-2019-12747 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 8.8 High |
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. | ||||
CVE-2019-11832 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick. | ||||
CVE-2019-11831 | 5 Debian, Drupal, Fedoraproject and 2 more | 5 Debian Linux, Drupal, Fedora and 2 more | 2024-11-21 | 9.8 Critical |
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. | ||||
CVE-2019-11830 | 1 Typo3 | 1 Pharstreamwrapper | 2024-11-21 | N/A |
PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism. | ||||
CVE-2018-6905 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process. | ||||
CVE-2017-6370 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields. | ||||
CVE-2017-14251 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code. | ||||
CVE-2016-5091 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action. | ||||
CVE-2016-4056 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers to inject arbitrary web script or HTML via the module parameter when creating a bookmark. | ||||
CVE-2015-8760 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
The Flvplayer component in TYPO3 6.2.x before 6.2.16 allows remote attackers to embed Flash videos from external domains via unspecified vectors, aka "Cross-Site Flashing." | ||||
CVE-2015-8759 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote authenticated editors to inject arbitrary web script or HTML via a link field. | ||||
CVE-2015-8758 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in unspecified frontend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors. | ||||
CVE-2015-8757 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the Extension Manager in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to extension data during an extension installation. | ||||
CVE-2015-8756 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the search result view in the Indexed Search (indexed_search) component in TYPO3 6.2.x before 6.2.16 allows remote authenticated editors to inject arbitrary web script or HTML via unspecified vectors. |