Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/typo3/cms-core@8.7.31
Typecomposer
Namespacetypo3
Namecms-core
Version8.7.31
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version12.4.41
Latest_non_vulnerable_version14.0.2
Affected_by_vulnerabilities
0
url VCID-4jpa-6fqh-hbfg
vulnerability_id VCID-4jpa-6fqh-hbfg
summary 
Cross-Site Scripting in TYPO3's Form Framework
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.9)

### Problem
It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability.

### Solution
Update to TYPO3 versions 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

### Credits
Thanks to Gabe Troyan who reported and fixed the issue.

### References
* [TYPO3-CORE-SA-2022-003](https://typo3.org/security/advisory/typo3-core-sa-2022-003)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-31048
reference_id
reference_type
scores
0
value 0.0063
scoring_system epss
scoring_elements 0.70274
published_at 2026-04-08T12:55:00Z
1
value 0.0063
scoring_system epss
scoring_elements 0.70337
published_at 2026-04-18T12:55:00Z
2
value 0.0063
scoring_system epss
scoring_elements 0.70327
published_at 2026-04-16T12:55:00Z
3
value 0.0063
scoring_system epss
scoring_elements 0.70286
published_at 2026-04-13T12:55:00Z
4
value 0.0063
scoring_system epss
scoring_elements 0.70299
published_at 2026-04-12T12:55:00Z
5
value 0.0063
scoring_system epss
scoring_elements 0.70313
published_at 2026-04-11T12:55:00Z
6
value 0.0063
scoring_system epss
scoring_elements 0.70289
published_at 2026-04-09T12:55:00Z
7
value 0.0063
scoring_system epss
scoring_elements 0.70234
published_at 2026-04-02T12:55:00Z
8
value 0.0063
scoring_system epss
scoring_elements 0.70251
published_at 2026-04-04T12:55:00Z
9
value 0.0063
scoring_system epss
scoring_elements 0.70228
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-31048
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-31048.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-31048.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31048.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31048.yaml
3
reference_url https://github.com/TYPO3-CMS/core
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3-CMS/core
4
reference_url https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:16Z/
url https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0
5
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:16Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-31048
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-31048
7
reference_url https://typo3.org/security/advisory/typo3-core-sa-2022-003
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:16Z/
url https://typo3.org/security/advisory/typo3-core-sa-2022-003
8
reference_url https://github.com/advisories/GHSA-3r95-23jp-mhvg
reference_id GHSA-3r95-23jp-mhvg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3r95-23jp-mhvg
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.47
purl pkg:composer/typo3/cms-core@8.7.47
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5paq-5frf-43ed
1
vulnerability VCID-b6er-h7dm-3bev
2
vulnerability VCID-mnz3-rj21-67ad
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.47
1
url pkg:composer/typo3/cms-core@9.5.35
purl pkg:composer/typo3/cms-core@9.5.35
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.35
2
url pkg:composer/typo3/cms-core@10.4.29
purl pkg:composer/typo3/cms-core@10.4.29
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4t9s-p25a-cfas
3
vulnerability VCID-5paq-5frf-43ed
4
vulnerability VCID-65ue-7jd9-23gf
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-8sdd-b1bn-cuhx
7
vulnerability VCID-av8u-rvzq-4fc7
8
vulnerability VCID-axvk-13qf-tka7
9
vulnerability VCID-b6er-h7dm-3bev
10
vulnerability VCID-g4uc-qeb6-myed
11
vulnerability VCID-gv1b-xtv4-4yg3
12
vulnerability VCID-gyyu-n3b1-zbcj
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n7ng-zkkb-2qaz
17
vulnerability VCID-nubu-f1sc-gbes
18
vulnerability VCID-t1n7-eswt-73gw
19
vulnerability VCID-taj6-zj2n-5kg8
20
vulnerability VCID-ve7g-8st5-wffb
21
vulnerability VCID-vwb2-a84s-5qak
22
vulnerability VCID-vyvy-y3cw-hbgr
23
vulnerability VCID-w13x-3rp9-wyej
24
vulnerability VCID-xy6y-312d-rygj
25
vulnerability VCID-zdq2-dhb2-6kaq
26
vulnerability VCID-zn99-ywte-33g6
27
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.29
3
url pkg:composer/typo3/cms-core@11.5.11
purl pkg:composer/typo3/cms-core@11.5.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4t9s-p25a-cfas
3
vulnerability VCID-5paq-5frf-43ed
4
vulnerability VCID-65ue-7jd9-23gf
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-8sdd-b1bn-cuhx
7
vulnerability VCID-av8u-rvzq-4fc7
8
vulnerability VCID-axvk-13qf-tka7
9
vulnerability VCID-b6er-h7dm-3bev
10
vulnerability VCID-g4uc-qeb6-myed
11
vulnerability VCID-gv1b-xtv4-4yg3
12
vulnerability VCID-gyyu-n3b1-zbcj
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n7ng-zkkb-2qaz
17
vulnerability VCID-nubu-f1sc-gbes
18
vulnerability VCID-t1n7-eswt-73gw
19
vulnerability VCID-taj6-zj2n-5kg8
20
vulnerability VCID-tnxn-p13f-yuah
21
vulnerability VCID-ve7g-8st5-wffb
22
vulnerability VCID-vwb2-a84s-5qak
23
vulnerability VCID-vyvy-y3cw-hbgr
24
vulnerability VCID-w13x-3rp9-wyej
25
vulnerability VCID-xy6y-312d-rygj
26
vulnerability VCID-zdq2-dhb2-6kaq
27
vulnerability VCID-zn99-ywte-33g6
28
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.11
aliases CVE-2022-31048, GHSA-3r95-23jp-mhvg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4jpa-6fqh-hbfg
1
url VCID-5jgb-dsyx-hyb4
vulnerability_id VCID-5jgb-dsyx-hyb4
summary 
Open Redirection in Login Handling
### Problem
It has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability.

### Solution
Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.

### Credits
Thanks to Alexander Kellner who reported this issue and to TYPO3 security team member Torben Hansen who fixed the issue.

### References
* [TYPO3-CORE-SA-2021-001](https://typo3.org/security/advisory/typo3-core-sa-2021-001)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21338
reference_id
reference_type
scores
0
value 0.00253
scoring_system epss
scoring_elements 0.48641
published_at 2026-04-18T12:55:00Z
1
value 0.00253
scoring_system epss
scoring_elements 0.48529
published_at 2026-04-01T12:55:00Z
2
value 0.00253
scoring_system epss
scoring_elements 0.48564
published_at 2026-04-02T12:55:00Z
3
value 0.00253
scoring_system epss
scoring_elements 0.48587
published_at 2026-04-04T12:55:00Z
4
value 0.00253
scoring_system epss
scoring_elements 0.48539
published_at 2026-04-07T12:55:00Z
5
value 0.00253
scoring_system epss
scoring_elements 0.48593
published_at 2026-04-08T12:55:00Z
6
value 0.00253
scoring_system epss
scoring_elements 0.48589
published_at 2026-04-09T12:55:00Z
7
value 0.00253
scoring_system epss
scoring_elements 0.4861
published_at 2026-04-11T12:55:00Z
8
value 0.00253
scoring_system epss
scoring_elements 0.48584
published_at 2026-04-12T12:55:00Z
9
value 0.00253
scoring_system epss
scoring_elements 0.48596
published_at 2026-04-13T12:55:00Z
10
value 0.00253
scoring_system epss
scoring_elements 0.48646
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21338
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21338.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21338.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21338.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21338.yaml
3
reference_url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4jhw-2p6j-5wmp
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4jhw-2p6j-5wmp
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21338
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21338
5
reference_url https://packagist.org/packages/typo3/cms-core
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/typo3/cms-core
6
reference_url https://typo3.org/security/advisory/typo3-core-sa-2021-001
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2021-001
7
reference_url https://github.com/advisories/GHSA-4jhw-2p6j-5wmp
reference_id GHSA-4jhw-2p6j-5wmp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4jhw-2p6j-5wmp
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.40
purl pkg:composer/typo3/cms-core@8.7.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ekfd-wp8z-d7e1
1
vulnerability VCID-n15v-ta9h-6ffb
2
vulnerability VCID-s64f-x81f-b7ce
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.40
1
url pkg:composer/typo3/cms-core@9.5.25
purl pkg:composer/typo3/cms-core@9.5.25
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4jpa-6fqh-hbfg
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-5paq-5frf-43ed
3
vulnerability VCID-65ue-7jd9-23gf
4
vulnerability VCID-6a9t-8dmn-s3bv
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-axvk-13qf-tka7
7
vulnerability VCID-b6er-h7dm-3bev
8
vulnerability VCID-bajy-qbwq-fufn
9
vulnerability VCID-e32h-8q61-hbgc
10
vulnerability VCID-ekfd-wp8z-d7e1
11
vulnerability VCID-g4uc-qeb6-myed
12
vulnerability VCID-gv1b-xtv4-4yg3
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n15v-ta9h-6ffb
17
vulnerability VCID-n7ng-zkkb-2qaz
18
vulnerability VCID-nubu-f1sc-gbes
19
vulnerability VCID-remd-55jh-r3g5
20
vulnerability VCID-s55j-8hbt-akhn
21
vulnerability VCID-s64f-x81f-b7ce
22
vulnerability VCID-t1n7-eswt-73gw
23
vulnerability VCID-taj6-zj2n-5kg8
24
vulnerability VCID-ve7g-8st5-wffb
25
vulnerability VCID-vyvy-y3cw-hbgr
26
vulnerability VCID-w13x-3rp9-wyej
27
vulnerability VCID-xy6y-312d-rygj
28
vulnerability VCID-y32z-2d3f-gkgw
29
vulnerability VCID-zdq2-dhb2-6kaq
30
vulnerability VCID-zn99-ywte-33g6
31
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25
2
url pkg:composer/typo3/cms-core@10.4.14
purl pkg:composer/typo3/cms-core@10.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-6a9t-8dmn-s3bv
7
vulnerability VCID-8d2m-1ffv-jqe1
8
vulnerability VCID-8sdd-b1bn-cuhx
9
vulnerability VCID-av8u-rvzq-4fc7
10
vulnerability VCID-axvk-13qf-tka7
11
vulnerability VCID-b6er-h7dm-3bev
12
vulnerability VCID-bajy-qbwq-fufn
13
vulnerability VCID-e32h-8q61-hbgc
14
vulnerability VCID-ekfd-wp8z-d7e1
15
vulnerability VCID-g4uc-qeb6-myed
16
vulnerability VCID-gv1b-xtv4-4yg3
17
vulnerability VCID-gyyu-n3b1-zbcj
18
vulnerability VCID-h6y3-7gsq-skh2
19
vulnerability VCID-mnz3-rj21-67ad
20
vulnerability VCID-mud2-s4rc-fuf6
21
vulnerability VCID-n15v-ta9h-6ffb
22
vulnerability VCID-n7ng-zkkb-2qaz
23
vulnerability VCID-nubu-f1sc-gbes
24
vulnerability VCID-remd-55jh-r3g5
25
vulnerability VCID-s55j-8hbt-akhn
26
vulnerability VCID-s64f-x81f-b7ce
27
vulnerability VCID-t1n7-eswt-73gw
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-ve7g-8st5-wffb
30
vulnerability VCID-vwb2-a84s-5qak
31
vulnerability VCID-vyvy-y3cw-hbgr
32
vulnerability VCID-w13x-3rp9-wyej
33
vulnerability VCID-xy6y-312d-rygj
34
vulnerability VCID-y32z-2d3f-gkgw
35
vulnerability VCID-zdq2-dhb2-6kaq
36
vulnerability VCID-zn99-ywte-33g6
37
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14
3
url pkg:composer/typo3/cms-core@11.1.1
purl pkg:composer/typo3/cms-core@11.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-6a9t-8dmn-s3bv
7
vulnerability VCID-8d2m-1ffv-jqe1
8
vulnerability VCID-8sdd-b1bn-cuhx
9
vulnerability VCID-av8u-rvzq-4fc7
10
vulnerability VCID-axvk-13qf-tka7
11
vulnerability VCID-b6er-h7dm-3bev
12
vulnerability VCID-bajy-qbwq-fufn
13
vulnerability VCID-e32h-8q61-hbgc
14
vulnerability VCID-ekfd-wp8z-d7e1
15
vulnerability VCID-g4uc-qeb6-myed
16
vulnerability VCID-gv1b-xtv4-4yg3
17
vulnerability VCID-gyyu-n3b1-zbcj
18
vulnerability VCID-h6y3-7gsq-skh2
19
vulnerability VCID-mnz3-rj21-67ad
20
vulnerability VCID-mud2-s4rc-fuf6
21
vulnerability VCID-n15v-ta9h-6ffb
22
vulnerability VCID-n7ng-zkkb-2qaz
23
vulnerability VCID-nubu-f1sc-gbes
24
vulnerability VCID-remd-55jh-r3g5
25
vulnerability VCID-s55j-8hbt-akhn
26
vulnerability VCID-s64f-x81f-b7ce
27
vulnerability VCID-t1n7-eswt-73gw
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-uyeu-a3xr-fkh4
30
vulnerability VCID-ve7g-8st5-wffb
31
vulnerability VCID-vwb2-a84s-5qak
32
vulnerability VCID-vyvy-y3cw-hbgr
33
vulnerability VCID-w13x-3rp9-wyej
34
vulnerability VCID-xy6y-312d-rygj
35
vulnerability VCID-y32z-2d3f-gkgw
36
vulnerability VCID-zdq2-dhb2-6kaq
37
vulnerability VCID-zn99-ywte-33g6
38
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1
aliases CVE-2021-21338, GHSA-4jhw-2p6j-5wmp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5jgb-dsyx-hyb4
2
url VCID-5paq-5frf-43ed
vulnerability_id VCID-5paq-5frf-43ed
summary 
TYPO3 CMS Stored Cross-Site Scripting via FileDumpController
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.0)

### Problem
It has been discovered that the `FileDumpController` (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account is needed to exploit this vulnerability.

### Solution
Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above.

### Credits
Thanks to Vautia who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.

### References
* [TYPO3-CORE-SA-2022-009](https://typo3.org/security/advisory/typo3-core-sa-2022-009)
* [Vulnerability Report on huntr.dev](https://huntr.dev/bounties/51e9b709-193c-41fd-bd4a-833aaca0bd4e/) (embargoed +30 days)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-36107
reference_id
reference_type
scores
0
value 0.00687
scoring_system epss
scoring_elements 0.71682
published_at 2026-04-02T12:55:00Z
1
value 0.00687
scoring_system epss
scoring_elements 0.7173
published_at 2026-04-12T12:55:00Z
2
value 0.00687
scoring_system epss
scoring_elements 0.71747
published_at 2026-04-11T12:55:00Z
3
value 0.00687
scoring_system epss
scoring_elements 0.71723
published_at 2026-04-09T12:55:00Z
4
value 0.00687
scoring_system epss
scoring_elements 0.71712
published_at 2026-04-08T12:55:00Z
5
value 0.00687
scoring_system epss
scoring_elements 0.71673
published_at 2026-04-07T12:55:00Z
6
value 0.00687
scoring_system epss
scoring_elements 0.717
published_at 2026-04-04T12:55:00Z
7
value 0.00687
scoring_system epss
scoring_elements 0.71762
published_at 2026-04-18T12:55:00Z
8
value 0.00687
scoring_system epss
scoring_elements 0.71756
published_at 2026-04-16T12:55:00Z
9
value 0.00687
scoring_system epss
scoring_elements 0.71713
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-36107
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36107.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36107.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36107.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36107.yaml
3
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
4
reference_url https://github.com/TYPO3/typo3/commit/546208428c861a09d62b86cde141eb19a81fae66
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/546208428c861a09d62b86cde141eb19a81fae66
5
reference_url https://github.com/TYPO3/typo3/commit/bd58d2ff2eeef89e63ef754a2389597d22622a39
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/bd58d2ff2eeef89e63ef754a2389597d22622a39
6
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-9c6w-55cp-5w25
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/security/advisories/GHSA-9c6w-55cp-5w25
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-36107
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-36107
8
reference_url https://typo3.org/security/advisory/typo3-core-sa-2022-009
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2022-009
9
reference_url https://github.com/advisories/GHSA-9c6w-55cp-5w25
reference_id GHSA-9c6w-55cp-5w25
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9c6w-55cp-5w25
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.48
purl pkg:composer/typo3/cms-core@8.7.48
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.48
1
url pkg:composer/typo3/cms-core@9.5.37
purl pkg:composer/typo3/cms-core@9.5.37
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.37
2
url pkg:composer/typo3/cms-core@10.4.32
purl pkg:composer/typo3/cms-core@10.4.32
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-8sdd-b1bn-cuhx
5
vulnerability VCID-axvk-13qf-tka7
6
vulnerability VCID-g4uc-qeb6-myed
7
vulnerability VCID-gv1b-xtv4-4yg3
8
vulnerability VCID-gyyu-n3b1-zbcj
9
vulnerability VCID-h6y3-7gsq-skh2
10
vulnerability VCID-mud2-s4rc-fuf6
11
vulnerability VCID-n7ng-zkkb-2qaz
12
vulnerability VCID-nubu-f1sc-gbes
13
vulnerability VCID-t1n7-eswt-73gw
14
vulnerability VCID-taj6-zj2n-5kg8
15
vulnerability VCID-ve7g-8st5-wffb
16
vulnerability VCID-vyvy-y3cw-hbgr
17
vulnerability VCID-w13x-3rp9-wyej
18
vulnerability VCID-xy6y-312d-rygj
19
vulnerability VCID-zdq2-dhb2-6kaq
20
vulnerability VCID-zn99-ywte-33g6
21
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.32
3
url pkg:composer/typo3/cms-core@11.5.16
purl pkg:composer/typo3/cms-core@11.5.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-8sdd-b1bn-cuhx
5
vulnerability VCID-axvk-13qf-tka7
6
vulnerability VCID-g4uc-qeb6-myed
7
vulnerability VCID-gv1b-xtv4-4yg3
8
vulnerability VCID-gyyu-n3b1-zbcj
9
vulnerability VCID-h6y3-7gsq-skh2
10
vulnerability VCID-mud2-s4rc-fuf6
11
vulnerability VCID-n7ng-zkkb-2qaz
12
vulnerability VCID-nubu-f1sc-gbes
13
vulnerability VCID-t1n7-eswt-73gw
14
vulnerability VCID-taj6-zj2n-5kg8
15
vulnerability VCID-ve7g-8st5-wffb
16
vulnerability VCID-vyvy-y3cw-hbgr
17
vulnerability VCID-w13x-3rp9-wyej
18
vulnerability VCID-xy6y-312d-rygj
19
vulnerability VCID-zdq2-dhb2-6kaq
20
vulnerability VCID-zn99-ywte-33g6
21
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.16
aliases CVE-2022-36107, GHSA-9c6w-55cp-5w25
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5paq-5frf-43ed
3
url VCID-axvk-13qf-tka7
vulnerability_id VCID-axvk-13qf-tka7
summary 
TYPO3 Install Tool vulnerable to Code Execution
### Problem
Several settings in the Install Tool for configuring the path to system binaries were vulnerable to code execution. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions.

The corresponding change for this advisory involves enforcing the known disadvantages described in [TYPO3-PSA-2020-002: Protecting Install Tool with Sudo Mode](https://typo3.org/security/advisory/typo3-psa-2020-002).

### Solution
Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described.

### Credits
Thanks to Rickmer Frier & Daniel Jonka who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue.

### References
* [TYPO3-CORE-SA-2024-002](https://typo3.org/security/advisory/typo3-core-sa-2024-002)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-22188
reference_id
reference_type
scores
0
value 0.00687
scoring_system epss
scoring_elements 0.71704
published_at 2026-04-08T12:55:00Z
1
value 0.00687
scoring_system epss
scoring_elements 0.71753
published_at 2026-04-18T12:55:00Z
2
value 0.00687
scoring_system epss
scoring_elements 0.71747
published_at 2026-04-16T12:55:00Z
3
value 0.00687
scoring_system epss
scoring_elements 0.71703
published_at 2026-04-13T12:55:00Z
4
value 0.00687
scoring_system epss
scoring_elements 0.71721
published_at 2026-04-12T12:55:00Z
5
value 0.00687
scoring_system epss
scoring_elements 0.71738
published_at 2026-04-11T12:55:00Z
6
value 0.00687
scoring_system epss
scoring_elements 0.71715
published_at 2026-04-09T12:55:00Z
7
value 0.00687
scoring_system epss
scoring_elements 0.71692
published_at 2026-04-04T12:55:00Z
8
value 0.00687
scoring_system epss
scoring_elements 0.71665
published_at 2026-04-07T12:55:00Z
9
value 0.00687
scoring_system epss
scoring_elements 0.71674
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-22188
1
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
2
reference_url https://github.com/TYPO3/typo3/commit/47e897f8c7668ef299ecc9ce93f52cafbb3497ed
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/47e897f8c7668ef299ecc9ce93f52cafbb3497ed
3
reference_url https://github.com/TYPO3/typo3/commit/6cc11761b8e2434fa4ccc9f096c65ca82569cfdf
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/6cc11761b8e2434fa4ccc9f096c65ca82569cfdf
4
reference_url https://github.com/TYPO3/typo3/commit/84e07e35b880a544b517868432c56987d05d46d4
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/84e07e35b880a544b517868432c56987d05d46d4
5
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-05T16:17:44Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-22188
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-22188
7
reference_url https://typo3.org/help/security-advisories
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://typo3.org/help/security-advisories
8
reference_url https://typo3.org/security/advisory/typo3-core-sa-2024-002
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-05T16:17:44Z/
url https://typo3.org/security/advisory/typo3-core-sa-2024-002
9
reference_url https://typo3.org/security/advisory/typo3-psa-2020-002
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-psa-2020-002
10
reference_url https://github.com/advisories/GHSA-5w2h-59j3-8x5w
reference_id GHSA-5w2h-59j3-8x5w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5w2h-59j3-8x5w
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.57
purl pkg:composer/typo3/cms-core@8.7.57
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.57
1
url pkg:composer/typo3/cms-core@9.5.46
purl pkg:composer/typo3/cms-core@9.5.46
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.46
2
url pkg:composer/typo3/cms-core@10.4.43
purl pkg:composer/typo3/cms-core@10.4.43
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.43
3
url pkg:composer/typo3/cms-core@11.5.35
purl pkg:composer/typo3/cms-core@11.5.35
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-mud2-s4rc-fuf6
6
vulnerability VCID-nubu-f1sc-gbes
7
vulnerability VCID-xy6y-312d-rygj
8
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.35
4
url pkg:composer/typo3/cms-core@12.4.11
purl pkg:composer/typo3/cms-core@12.4.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-jxw7-skw6-q7bg
6
vulnerability VCID-mud2-s4rc-fuf6
7
vulnerability VCID-nubu-f1sc-gbes
8
vulnerability VCID-xy6y-312d-rygj
9
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11
5
url pkg:composer/typo3/cms-core@13.0.1
purl pkg:composer/typo3/cms-core@13.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-jxw7-skw6-q7bg
6
vulnerability VCID-mud2-s4rc-fuf6
7
vulnerability VCID-nubu-f1sc-gbes
8
vulnerability VCID-xy6y-312d-rygj
9
vulnerability VCID-yxy9-ngwb-6qdm
10
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1
aliases CVE-2024-22188, GHSA-5w2h-59j3-8x5w
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-axvk-13qf-tka7
4
url VCID-b6er-h7dm-3bev
vulnerability_id VCID-b6er-h7dm-3bev
summary 
TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7)

### Problem
Due to a parsing issue in upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://github.com/TYPO3/html-sanitizer).

### Solution
Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above.

### Credits
Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue.

### References
* [TYPO3-CORE-SA-2022-011](https://typo3.org/security/advisory/typo3-core-sa-2022-011)
* [GHSA-47m6-46mj-p235](https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235)
references
0
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
1
reference_url https://github.com/TYPO3/typo3/commit/d4f260570abd934fcf3819370a135bef33d729b7
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/d4f260570abd934fcf3819370a135bef33d729b7
2
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-gqqf-g5r7-84vf
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/security/advisories/GHSA-gqqf-g5r7-84vf
3
reference_url https://github.com/advisories/GHSA-gqqf-g5r7-84vf
reference_id GHSA-gqqf-g5r7-84vf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gqqf-g5r7-84vf
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.48
purl pkg:composer/typo3/cms-core@8.7.48
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.48
1
url pkg:composer/typo3/cms-core@9.5.37
purl pkg:composer/typo3/cms-core@9.5.37
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.37
2
url pkg:composer/typo3/cms-core@10.4.32
purl pkg:composer/typo3/cms-core@10.4.32
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-8sdd-b1bn-cuhx
5
vulnerability VCID-axvk-13qf-tka7
6
vulnerability VCID-g4uc-qeb6-myed
7
vulnerability VCID-gv1b-xtv4-4yg3
8
vulnerability VCID-gyyu-n3b1-zbcj
9
vulnerability VCID-h6y3-7gsq-skh2
10
vulnerability VCID-mud2-s4rc-fuf6
11
vulnerability VCID-n7ng-zkkb-2qaz
12
vulnerability VCID-nubu-f1sc-gbes
13
vulnerability VCID-t1n7-eswt-73gw
14
vulnerability VCID-taj6-zj2n-5kg8
15
vulnerability VCID-ve7g-8st5-wffb
16
vulnerability VCID-vyvy-y3cw-hbgr
17
vulnerability VCID-w13x-3rp9-wyej
18
vulnerability VCID-xy6y-312d-rygj
19
vulnerability VCID-zdq2-dhb2-6kaq
20
vulnerability VCID-zn99-ywte-33g6
21
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.32
3
url pkg:composer/typo3/cms-core@11.5.16
purl pkg:composer/typo3/cms-core@11.5.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-8sdd-b1bn-cuhx
5
vulnerability VCID-axvk-13qf-tka7
6
vulnerability VCID-g4uc-qeb6-myed
7
vulnerability VCID-gv1b-xtv4-4yg3
8
vulnerability VCID-gyyu-n3b1-zbcj
9
vulnerability VCID-h6y3-7gsq-skh2
10
vulnerability VCID-mud2-s4rc-fuf6
11
vulnerability VCID-n7ng-zkkb-2qaz
12
vulnerability VCID-nubu-f1sc-gbes
13
vulnerability VCID-t1n7-eswt-73gw
14
vulnerability VCID-taj6-zj2n-5kg8
15
vulnerability VCID-ve7g-8st5-wffb
16
vulnerability VCID-vyvy-y3cw-hbgr
17
vulnerability VCID-w13x-3rp9-wyej
18
vulnerability VCID-xy6y-312d-rygj
19
vulnerability VCID-zdq2-dhb2-6kaq
20
vulnerability VCID-zn99-ywte-33g6
21
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.16
aliases GHSA-gqqf-g5r7-84vf, GMS-2022-4096
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b6er-h7dm-3bev
5
url VCID-bajy-qbwq-fufn
vulnerability_id VCID-bajy-qbwq-fufn
summary 
Insertion of Sensitive Information into Log File in typo3/cms-core
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9)

### Problem
It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace.

### Solution
Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

### Credits
Thanks to Marco Huber who reported this issue and to TYPO3 security member Torben Hansen who fixed the issue.

### References
* [TYPO3-CORE-SA-2022-002](https://typo3.org/security/advisory/typo3-core-sa-2022-002)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-31047
reference_id
reference_type
scores
0
value 0.00391
scoring_system epss
scoring_elements 0.60107
published_at 2026-04-02T12:55:00Z
1
value 0.00391
scoring_system epss
scoring_elements 0.60201
published_at 2026-04-18T12:55:00Z
2
value 0.00391
scoring_system epss
scoring_elements 0.60194
published_at 2026-04-16T12:55:00Z
3
value 0.00391
scoring_system epss
scoring_elements 0.60155
published_at 2026-04-13T12:55:00Z
4
value 0.00391
scoring_system epss
scoring_elements 0.60173
published_at 2026-04-12T12:55:00Z
5
value 0.00391
scoring_system epss
scoring_elements 0.60187
published_at 2026-04-11T12:55:00Z
6
value 0.00391
scoring_system epss
scoring_elements 0.60165
published_at 2026-04-09T12:55:00Z
7
value 0.00391
scoring_system epss
scoring_elements 0.60151
published_at 2026-04-08T12:55:00Z
8
value 0.00391
scoring_system epss
scoring_elements 0.60101
published_at 2026-04-07T12:55:00Z
9
value 0.00391
scoring_system epss
scoring_elements 0.60132
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-31047
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31047.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31047.yaml
2
reference_url https://github.com/TYPO3-CMS/core
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3-CMS/core
3
reference_url https://github.com/TYPO3/typo3/commit/c93ea692e7dfef03b7c50fe5437487545bee4d6a
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:23Z/
url https://github.com/TYPO3/typo3/commit/c93ea692e7dfef03b7c50fe5437487545bee4d6a
4
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-fh99-4pgr-8j99
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:23Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-fh99-4pgr-8j99
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-31047
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-31047
6
reference_url https://typo3.org/security/advisory/typo3-core-sa-2022-002
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:23Z/
url https://typo3.org/security/advisory/typo3-core-sa-2022-002
7
reference_url https://github.com/advisories/GHSA-fh99-4pgr-8j99
reference_id GHSA-fh99-4pgr-8j99
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fh99-4pgr-8j99
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.47
purl pkg:composer/typo3/cms-core@8.7.47
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5paq-5frf-43ed
1
vulnerability VCID-b6er-h7dm-3bev
2
vulnerability VCID-mnz3-rj21-67ad
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.47
1
url pkg:composer/typo3/cms-core@9.5.35
purl pkg:composer/typo3/cms-core@9.5.35
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.35
2
url pkg:composer/typo3/cms-core@10.4.29
purl pkg:composer/typo3/cms-core@10.4.29
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4t9s-p25a-cfas
3
vulnerability VCID-5paq-5frf-43ed
4
vulnerability VCID-65ue-7jd9-23gf
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-8sdd-b1bn-cuhx
7
vulnerability VCID-av8u-rvzq-4fc7
8
vulnerability VCID-axvk-13qf-tka7
9
vulnerability VCID-b6er-h7dm-3bev
10
vulnerability VCID-g4uc-qeb6-myed
11
vulnerability VCID-gv1b-xtv4-4yg3
12
vulnerability VCID-gyyu-n3b1-zbcj
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n7ng-zkkb-2qaz
17
vulnerability VCID-nubu-f1sc-gbes
18
vulnerability VCID-t1n7-eswt-73gw
19
vulnerability VCID-taj6-zj2n-5kg8
20
vulnerability VCID-ve7g-8st5-wffb
21
vulnerability VCID-vwb2-a84s-5qak
22
vulnerability VCID-vyvy-y3cw-hbgr
23
vulnerability VCID-w13x-3rp9-wyej
24
vulnerability VCID-xy6y-312d-rygj
25
vulnerability VCID-zdq2-dhb2-6kaq
26
vulnerability VCID-zn99-ywte-33g6
27
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.29
3
url pkg:composer/typo3/cms-core@11.5.11
purl pkg:composer/typo3/cms-core@11.5.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4t9s-p25a-cfas
3
vulnerability VCID-5paq-5frf-43ed
4
vulnerability VCID-65ue-7jd9-23gf
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-8sdd-b1bn-cuhx
7
vulnerability VCID-av8u-rvzq-4fc7
8
vulnerability VCID-axvk-13qf-tka7
9
vulnerability VCID-b6er-h7dm-3bev
10
vulnerability VCID-g4uc-qeb6-myed
11
vulnerability VCID-gv1b-xtv4-4yg3
12
vulnerability VCID-gyyu-n3b1-zbcj
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n7ng-zkkb-2qaz
17
vulnerability VCID-nubu-f1sc-gbes
18
vulnerability VCID-t1n7-eswt-73gw
19
vulnerability VCID-taj6-zj2n-5kg8
20
vulnerability VCID-tnxn-p13f-yuah
21
vulnerability VCID-ve7g-8st5-wffb
22
vulnerability VCID-vwb2-a84s-5qak
23
vulnerability VCID-vyvy-y3cw-hbgr
24
vulnerability VCID-w13x-3rp9-wyej
25
vulnerability VCID-xy6y-312d-rygj
26
vulnerability VCID-zdq2-dhb2-6kaq
27
vulnerability VCID-zn99-ywte-33g6
28
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.11
aliases CVE-2022-31047, GHSA-fh99-4pgr-8j99
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bajy-qbwq-fufn
6
url VCID-dsu7-jjjq-f3e1
vulnerability_id VCID-dsu7-jjjq-f3e1
summary 
Cleartext storage of session identifier
### Problem
User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.

### Solution
Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.

### Credits
Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 core & security team members Benni Mack & Oliver Hader who fixed the issue.

### References
* [TYPO3-CORE-SA-2021-006](https://typo3.org/security/advisory/typo3-core-sa-2021-006)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21339
reference_id
reference_type
scores
0
value 0.00132
scoring_system epss
scoring_elements 0.32688
published_at 2026-04-18T12:55:00Z
1
value 0.00132
scoring_system epss
scoring_elements 0.32671
published_at 2026-04-01T12:55:00Z
2
value 0.00132
scoring_system epss
scoring_elements 0.32804
published_at 2026-04-02T12:55:00Z
3
value 0.00132
scoring_system epss
scoring_elements 0.3284
published_at 2026-04-04T12:55:00Z
4
value 0.00132
scoring_system epss
scoring_elements 0.32661
published_at 2026-04-07T12:55:00Z
5
value 0.00132
scoring_system epss
scoring_elements 0.32709
published_at 2026-04-08T12:55:00Z
6
value 0.00132
scoring_system epss
scoring_elements 0.32735
published_at 2026-04-09T12:55:00Z
7
value 0.00132
scoring_system epss
scoring_elements 0.32736
published_at 2026-04-11T12:55:00Z
8
value 0.00132
scoring_system epss
scoring_elements 0.327
published_at 2026-04-12T12:55:00Z
9
value 0.00132
scoring_system epss
scoring_elements 0.32672
published_at 2026-04-13T12:55:00Z
10
value 0.00132
scoring_system epss
scoring_elements 0.32711
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21339
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21339.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21339.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21339.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21339.yaml
3
reference_url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21339
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21339
5
reference_url https://packagist.org/packages/typo3/cms-core
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/typo3/cms-core
6
reference_url https://typo3.org/security/advisory/typo3-core-sa-2021-006
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2021-006
7
reference_url https://github.com/advisories/GHSA-qx3w-4864-94ch
reference_id GHSA-qx3w-4864-94ch
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qx3w-4864-94ch
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.40
purl pkg:composer/typo3/cms-core@8.7.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ekfd-wp8z-d7e1
1
vulnerability VCID-n15v-ta9h-6ffb
2
vulnerability VCID-s64f-x81f-b7ce
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.40
1
url pkg:composer/typo3/cms-core@9.5.25
purl pkg:composer/typo3/cms-core@9.5.25
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4jpa-6fqh-hbfg
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-5paq-5frf-43ed
3
vulnerability VCID-65ue-7jd9-23gf
4
vulnerability VCID-6a9t-8dmn-s3bv
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-axvk-13qf-tka7
7
vulnerability VCID-b6er-h7dm-3bev
8
vulnerability VCID-bajy-qbwq-fufn
9
vulnerability VCID-e32h-8q61-hbgc
10
vulnerability VCID-ekfd-wp8z-d7e1
11
vulnerability VCID-g4uc-qeb6-myed
12
vulnerability VCID-gv1b-xtv4-4yg3
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n15v-ta9h-6ffb
17
vulnerability VCID-n7ng-zkkb-2qaz
18
vulnerability VCID-nubu-f1sc-gbes
19
vulnerability VCID-remd-55jh-r3g5
20
vulnerability VCID-s55j-8hbt-akhn
21
vulnerability VCID-s64f-x81f-b7ce
22
vulnerability VCID-t1n7-eswt-73gw
23
vulnerability VCID-taj6-zj2n-5kg8
24
vulnerability VCID-ve7g-8st5-wffb
25
vulnerability VCID-vyvy-y3cw-hbgr
26
vulnerability VCID-w13x-3rp9-wyej
27
vulnerability VCID-xy6y-312d-rygj
28
vulnerability VCID-y32z-2d3f-gkgw
29
vulnerability VCID-zdq2-dhb2-6kaq
30
vulnerability VCID-zn99-ywte-33g6
31
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25
2
url pkg:composer/typo3/cms-core@10.4.14
purl pkg:composer/typo3/cms-core@10.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-6a9t-8dmn-s3bv
7
vulnerability VCID-8d2m-1ffv-jqe1
8
vulnerability VCID-8sdd-b1bn-cuhx
9
vulnerability VCID-av8u-rvzq-4fc7
10
vulnerability VCID-axvk-13qf-tka7
11
vulnerability VCID-b6er-h7dm-3bev
12
vulnerability VCID-bajy-qbwq-fufn
13
vulnerability VCID-e32h-8q61-hbgc
14
vulnerability VCID-ekfd-wp8z-d7e1
15
vulnerability VCID-g4uc-qeb6-myed
16
vulnerability VCID-gv1b-xtv4-4yg3
17
vulnerability VCID-gyyu-n3b1-zbcj
18
vulnerability VCID-h6y3-7gsq-skh2
19
vulnerability VCID-mnz3-rj21-67ad
20
vulnerability VCID-mud2-s4rc-fuf6
21
vulnerability VCID-n15v-ta9h-6ffb
22
vulnerability VCID-n7ng-zkkb-2qaz
23
vulnerability VCID-nubu-f1sc-gbes
24
vulnerability VCID-remd-55jh-r3g5
25
vulnerability VCID-s55j-8hbt-akhn
26
vulnerability VCID-s64f-x81f-b7ce
27
vulnerability VCID-t1n7-eswt-73gw
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-ve7g-8st5-wffb
30
vulnerability VCID-vwb2-a84s-5qak
31
vulnerability VCID-vyvy-y3cw-hbgr
32
vulnerability VCID-w13x-3rp9-wyej
33
vulnerability VCID-xy6y-312d-rygj
34
vulnerability VCID-y32z-2d3f-gkgw
35
vulnerability VCID-zdq2-dhb2-6kaq
36
vulnerability VCID-zn99-ywte-33g6
37
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14
3
url pkg:composer/typo3/cms-core@11.1.1
purl pkg:composer/typo3/cms-core@11.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-6a9t-8dmn-s3bv
7
vulnerability VCID-8d2m-1ffv-jqe1
8
vulnerability VCID-8sdd-b1bn-cuhx
9
vulnerability VCID-av8u-rvzq-4fc7
10
vulnerability VCID-axvk-13qf-tka7
11
vulnerability VCID-b6er-h7dm-3bev
12
vulnerability VCID-bajy-qbwq-fufn
13
vulnerability VCID-e32h-8q61-hbgc
14
vulnerability VCID-ekfd-wp8z-d7e1
15
vulnerability VCID-g4uc-qeb6-myed
16
vulnerability VCID-gv1b-xtv4-4yg3
17
vulnerability VCID-gyyu-n3b1-zbcj
18
vulnerability VCID-h6y3-7gsq-skh2
19
vulnerability VCID-mnz3-rj21-67ad
20
vulnerability VCID-mud2-s4rc-fuf6
21
vulnerability VCID-n15v-ta9h-6ffb
22
vulnerability VCID-n7ng-zkkb-2qaz
23
vulnerability VCID-nubu-f1sc-gbes
24
vulnerability VCID-remd-55jh-r3g5
25
vulnerability VCID-s55j-8hbt-akhn
26
vulnerability VCID-s64f-x81f-b7ce
27
vulnerability VCID-t1n7-eswt-73gw
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-uyeu-a3xr-fkh4
30
vulnerability VCID-ve7g-8st5-wffb
31
vulnerability VCID-vwb2-a84s-5qak
32
vulnerability VCID-vyvy-y3cw-hbgr
33
vulnerability VCID-w13x-3rp9-wyej
34
vulnerability VCID-xy6y-312d-rygj
35
vulnerability VCID-y32z-2d3f-gkgw
36
vulnerability VCID-zdq2-dhb2-6kaq
37
vulnerability VCID-zn99-ywte-33g6
38
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1
aliases CVE-2021-21339, GHSA-qx3w-4864-94ch
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dsu7-jjjq-f3e1
7
url VCID-ekfd-wp8z-d7e1
vulnerability_id VCID-ekfd-wp8z-d7e1
summary 
Cross-site Scripting
TYPO3 is an open source PHP based web content management system. have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 contain a patch for this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32669
reference_id
reference_type
scores
0
value 0.00374
scoring_system epss
scoring_elements 0.59043
published_at 2026-04-07T12:55:00Z
1
value 0.00374
scoring_system epss
scoring_elements 0.59121
published_at 2026-04-18T12:55:00Z
2
value 0.00374
scoring_system epss
scoring_elements 0.59116
published_at 2026-04-16T12:55:00Z
3
value 0.00374
scoring_system epss
scoring_elements 0.5908
published_at 2026-04-13T12:55:00Z
4
value 0.00374
scoring_system epss
scoring_elements 0.59099
published_at 2026-04-12T12:55:00Z
5
value 0.00374
scoring_system epss
scoring_elements 0.58981
published_at 2026-04-01T12:55:00Z
6
value 0.00374
scoring_system epss
scoring_elements 0.59094
published_at 2026-04-08T12:55:00Z
7
value 0.00374
scoring_system epss
scoring_elements 0.59056
published_at 2026-04-02T12:55:00Z
8
value 0.00374
scoring_system epss
scoring_elements 0.59078
published_at 2026-04-04T12:55:00Z
9
value 0.00374
scoring_system epss
scoring_elements 0.59117
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32669
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32669.yaml
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32669.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32669.yaml
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32669.yaml
3
reference_url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-rgcg-28xm-8mmw
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-rgcg-28xm-8mmw
4
reference_url https://typo3.org/security/advisory/typo3-core-sa-2021-011
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2021-011
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32669
reference_id CVE-2021-32669
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-32669
6
reference_url https://github.com/advisories/GHSA-rgcg-28xm-8mmw
reference_id GHSA-rgcg-28xm-8mmw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rgcg-28xm-8mmw
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.41
purl pkg:composer/typo3/cms-core@8.7.41
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-y32z-2d3f-gkgw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.41
1
url pkg:composer/typo3/cms-core@9.5.28
purl pkg:composer/typo3/cms-core@9.5.28
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4jpa-6fqh-hbfg
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-5paq-5frf-43ed
3
vulnerability VCID-65ue-7jd9-23gf
4
vulnerability VCID-8d2m-1ffv-jqe1
5
vulnerability VCID-axvk-13qf-tka7
6
vulnerability VCID-b6er-h7dm-3bev
7
vulnerability VCID-bajy-qbwq-fufn
8
vulnerability VCID-e32h-8q61-hbgc
9
vulnerability VCID-ekfd-wp8z-d7e1
10
vulnerability VCID-g4uc-qeb6-myed
11
vulnerability VCID-gv1b-xtv4-4yg3
12
vulnerability VCID-h6y3-7gsq-skh2
13
vulnerability VCID-mnz3-rj21-67ad
14
vulnerability VCID-mud2-s4rc-fuf6
15
vulnerability VCID-n7ng-zkkb-2qaz
16
vulnerability VCID-nubu-f1sc-gbes
17
vulnerability VCID-remd-55jh-r3g5
18
vulnerability VCID-s55j-8hbt-akhn
19
vulnerability VCID-s64f-x81f-b7ce
20
vulnerability VCID-t1n7-eswt-73gw
21
vulnerability VCID-taj6-zj2n-5kg8
22
vulnerability VCID-ve7g-8st5-wffb
23
vulnerability VCID-vyvy-y3cw-hbgr
24
vulnerability VCID-w13x-3rp9-wyej
25
vulnerability VCID-xy6y-312d-rygj
26
vulnerability VCID-y32z-2d3f-gkgw
27
vulnerability VCID-zdq2-dhb2-6kaq
28
vulnerability VCID-zn99-ywte-33g6
29
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.28
2
url pkg:composer/typo3/cms-core@10.4.18
purl pkg:composer/typo3/cms-core@10.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-8d2m-1ffv-jqe1
7
vulnerability VCID-8sdd-b1bn-cuhx
8
vulnerability VCID-av8u-rvzq-4fc7
9
vulnerability VCID-axvk-13qf-tka7
10
vulnerability VCID-b6er-h7dm-3bev
11
vulnerability VCID-bajy-qbwq-fufn
12
vulnerability VCID-e32h-8q61-hbgc
13
vulnerability VCID-g4uc-qeb6-myed
14
vulnerability VCID-gv1b-xtv4-4yg3
15
vulnerability VCID-gyyu-n3b1-zbcj
16
vulnerability VCID-h6y3-7gsq-skh2
17
vulnerability VCID-mnz3-rj21-67ad
18
vulnerability VCID-mud2-s4rc-fuf6
19
vulnerability VCID-n7ng-zkkb-2qaz
20
vulnerability VCID-nubu-f1sc-gbes
21
vulnerability VCID-remd-55jh-r3g5
22
vulnerability VCID-s55j-8hbt-akhn
23
vulnerability VCID-t1n7-eswt-73gw
24
vulnerability VCID-taj6-zj2n-5kg8
25
vulnerability VCID-ve7g-8st5-wffb
26
vulnerability VCID-vwb2-a84s-5qak
27
vulnerability VCID-vyvy-y3cw-hbgr
28
vulnerability VCID-w13x-3rp9-wyej
29
vulnerability VCID-xy6y-312d-rygj
30
vulnerability VCID-y32z-2d3f-gkgw
31
vulnerability VCID-zdq2-dhb2-6kaq
32
vulnerability VCID-zn99-ywte-33g6
33
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.18
3
url pkg:composer/typo3/cms-core@11.3.1
purl pkg:composer/typo3/cms-core@11.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-8d2m-1ffv-jqe1
7
vulnerability VCID-8sdd-b1bn-cuhx
8
vulnerability VCID-av8u-rvzq-4fc7
9
vulnerability VCID-axvk-13qf-tka7
10
vulnerability VCID-b6er-h7dm-3bev
11
vulnerability VCID-bajy-qbwq-fufn
12
vulnerability VCID-e32h-8q61-hbgc
13
vulnerability VCID-g4uc-qeb6-myed
14
vulnerability VCID-gv1b-xtv4-4yg3
15
vulnerability VCID-gyyu-n3b1-zbcj
16
vulnerability VCID-h6y3-7gsq-skh2
17
vulnerability VCID-jjbn-6efk-nud2
18
vulnerability VCID-mnz3-rj21-67ad
19
vulnerability VCID-mud2-s4rc-fuf6
20
vulnerability VCID-n7ng-zkkb-2qaz
21
vulnerability VCID-nubu-f1sc-gbes
22
vulnerability VCID-remd-55jh-r3g5
23
vulnerability VCID-s55j-8hbt-akhn
24
vulnerability VCID-t1n7-eswt-73gw
25
vulnerability VCID-taj6-zj2n-5kg8
26
vulnerability VCID-uyeu-a3xr-fkh4
27
vulnerability VCID-ve7g-8st5-wffb
28
vulnerability VCID-vwb2-a84s-5qak
29
vulnerability VCID-vyvy-y3cw-hbgr
30
vulnerability VCID-w13x-3rp9-wyej
31
vulnerability VCID-xy6y-312d-rygj
32
vulnerability VCID-y32z-2d3f-gkgw
33
vulnerability VCID-zdq2-dhb2-6kaq
34
vulnerability VCID-zn99-ywte-33g6
35
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.3.1
aliases CVE-2021-32669, GHSA-rgcg-28xm-8mmw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ekfd-wp8z-d7e1
8
url VCID-f963-qur3-2qb7
vulnerability_id VCID-f963-qur3-2qb7
summary 
Cross-Site Scripting in Fluid view helpers
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7)
> * CWE-79

### Problem
It has been discovered that system extension Fluid (`typo3/cms-fluid`) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers.

```
<f:form ... fieldNamePrefix="{payload}" />
<f:be.labels.csh ... label="{payload}" />
<f:be.menus.actionMenu ... label="{payload}" />
```

### Solution
Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.

### Credits
Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 security team members Helmut Hummel & Oliver Hader who fixed the issue.

### References
* [TYPO3-CORE-SA-2020-010](https://typo3.org/security/advisory/typo3-core-sa-2020-010)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-26227
reference_id
reference_type
scores
0
value 0.00359
scoring_system epss
scoring_elements 0.5814
published_at 2026-04-18T12:55:00Z
1
value 0.00359
scoring_system epss
scoring_elements 0.57999
published_at 2026-04-01T12:55:00Z
2
value 0.00359
scoring_system epss
scoring_elements 0.58083
published_at 2026-04-02T12:55:00Z
3
value 0.00359
scoring_system epss
scoring_elements 0.58104
published_at 2026-04-04T12:55:00Z
4
value 0.00359
scoring_system epss
scoring_elements 0.58079
published_at 2026-04-07T12:55:00Z
5
value 0.00359
scoring_system epss
scoring_elements 0.58133
published_at 2026-04-08T12:55:00Z
6
value 0.00359
scoring_system epss
scoring_elements 0.58137
published_at 2026-04-09T12:55:00Z
7
value 0.00359
scoring_system epss
scoring_elements 0.58153
published_at 2026-04-11T12:55:00Z
8
value 0.00359
scoring_system epss
scoring_elements 0.5813
published_at 2026-04-12T12:55:00Z
9
value 0.00359
scoring_system epss
scoring_elements 0.58109
published_at 2026-04-13T12:55:00Z
10
value 0.00359
scoring_system epss
scoring_elements 0.58139
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-26227
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26227.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26227.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26227.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26227.yaml
3
reference_url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-vqqx-jw6p-q3rf
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-vqqx-jw6p-q3rf
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-26227
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-26227
5
reference_url https://packagist.org/packages/typo3/cms-core
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/typo3/cms-core
6
reference_url https://typo3.org/security/advisory/typo3-core-sa-2020-010
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2020-010
7
reference_url https://github.com/advisories/GHSA-vqqx-jw6p-q3rf
reference_id GHSA-vqqx-jw6p-q3rf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vqqx-jw6p-q3rf
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.38
purl pkg:composer/typo3/cms-core@8.7.38
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.38
1
url pkg:composer/typo3/cms-core@9.5.23
purl pkg:composer/typo3/cms-core@9.5.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4jpa-6fqh-hbfg
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-5jgb-dsyx-hyb4
3
vulnerability VCID-5paq-5frf-43ed
4
vulnerability VCID-65ue-7jd9-23gf
5
vulnerability VCID-6a9t-8dmn-s3bv
6
vulnerability VCID-8d2m-1ffv-jqe1
7
vulnerability VCID-axvk-13qf-tka7
8
vulnerability VCID-b6er-h7dm-3bev
9
vulnerability VCID-bajy-qbwq-fufn
10
vulnerability VCID-d8d1-sat6-muhe
11
vulnerability VCID-dsu7-jjjq-f3e1
12
vulnerability VCID-e32h-8q61-hbgc
13
vulnerability VCID-ekfd-wp8z-d7e1
14
vulnerability VCID-g4uc-qeb6-myed
15
vulnerability VCID-gv1b-xtv4-4yg3
16
vulnerability VCID-h6y3-7gsq-skh2
17
vulnerability VCID-he5m-6wj4-rbhc
18
vulnerability VCID-mnz3-rj21-67ad
19
vulnerability VCID-mud2-s4rc-fuf6
20
vulnerability VCID-n15v-ta9h-6ffb
21
vulnerability VCID-n7ng-zkkb-2qaz
22
vulnerability VCID-nubu-f1sc-gbes
23
vulnerability VCID-remd-55jh-r3g5
24
vulnerability VCID-s55j-8hbt-akhn
25
vulnerability VCID-s64f-x81f-b7ce
26
vulnerability VCID-t1n7-eswt-73gw
27
vulnerability VCID-t3jn-vwbx-u7cr
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-ve7g-8st5-wffb
30
vulnerability VCID-vyvy-y3cw-hbgr
31
vulnerability VCID-w13x-3rp9-wyej
32
vulnerability VCID-xh7y-56vy-5ud8
33
vulnerability VCID-xy6y-312d-rygj
34
vulnerability VCID-y32z-2d3f-gkgw
35
vulnerability VCID-zdq2-dhb2-6kaq
36
vulnerability VCID-zn99-ywte-33g6
37
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.23
2
url pkg:composer/typo3/cms-core@10.4.10
purl pkg:composer/typo3/cms-core@10.4.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5jgb-dsyx-hyb4
5
vulnerability VCID-5paq-5frf-43ed
6
vulnerability VCID-65ue-7jd9-23gf
7
vulnerability VCID-6a9t-8dmn-s3bv
8
vulnerability VCID-8d2m-1ffv-jqe1
9
vulnerability VCID-8sdd-b1bn-cuhx
10
vulnerability VCID-a89c-jvwa-6kh5
11
vulnerability VCID-av8u-rvzq-4fc7
12
vulnerability VCID-axvk-13qf-tka7
13
vulnerability VCID-b6er-h7dm-3bev
14
vulnerability VCID-bajy-qbwq-fufn
15
vulnerability VCID-d8d1-sat6-muhe
16
vulnerability VCID-dhrm-uxuv-zfaj
17
vulnerability VCID-dsu7-jjjq-f3e1
18
vulnerability VCID-e32h-8q61-hbgc
19
vulnerability VCID-ekfd-wp8z-d7e1
20
vulnerability VCID-g4uc-qeb6-myed
21
vulnerability VCID-gv1b-xtv4-4yg3
22
vulnerability VCID-gyyu-n3b1-zbcj
23
vulnerability VCID-h6y3-7gsq-skh2
24
vulnerability VCID-he5m-6wj4-rbhc
25
vulnerability VCID-mnz3-rj21-67ad
26
vulnerability VCID-mud2-s4rc-fuf6
27
vulnerability VCID-n15v-ta9h-6ffb
28
vulnerability VCID-n7ng-zkkb-2qaz
29
vulnerability VCID-nubu-f1sc-gbes
30
vulnerability VCID-remd-55jh-r3g5
31
vulnerability VCID-s55j-8hbt-akhn
32
vulnerability VCID-s64f-x81f-b7ce
33
vulnerability VCID-t1n7-eswt-73gw
34
vulnerability VCID-t3jn-vwbx-u7cr
35
vulnerability VCID-taj6-zj2n-5kg8
36
vulnerability VCID-ve7g-8st5-wffb
37
vulnerability VCID-vwb2-a84s-5qak
38
vulnerability VCID-vyvy-y3cw-hbgr
39
vulnerability VCID-w13x-3rp9-wyej
40
vulnerability VCID-xh7y-56vy-5ud8
41
vulnerability VCID-xy6y-312d-rygj
42
vulnerability VCID-y32z-2d3f-gkgw
43
vulnerability VCID-zdq2-dhb2-6kaq
44
vulnerability VCID-zn99-ywte-33g6
45
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.10
aliases CVE-2020-26227, GHSA-vqqx-jw6p-q3rf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f963-qur3-2qb7
9
url VCID-g4uc-qeb6-myed
vulnerability_id VCID-g4uc-qeb6-myed
summary 
TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key
### Problem
The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions.

### Solution
Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described.

### Credits
Thanks to TYPO3 core & security team member Benjamin Franzke who fixed the issue.

### References
* [TYPO3-CORE-SA-2024-004](https://typo3.org/security/advisory/typo3-core-sa-2024-004)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-25119
reference_id
reference_type
scores
0
value 0.00291
scoring_system epss
scoring_elements 0.52471
published_at 2026-04-02T12:55:00Z
1
value 0.00291
scoring_system epss
scoring_elements 0.52575
published_at 2026-04-18T12:55:00Z
2
value 0.00291
scoring_system epss
scoring_elements 0.52569
published_at 2026-04-16T12:55:00Z
3
value 0.00291
scoring_system epss
scoring_elements 0.5253
published_at 2026-04-13T12:55:00Z
4
value 0.00291
scoring_system epss
scoring_elements 0.52546
published_at 2026-04-12T12:55:00Z
5
value 0.00291
scoring_system epss
scoring_elements 0.52562
published_at 2026-04-11T12:55:00Z
6
value 0.00291
scoring_system epss
scoring_elements 0.52511
published_at 2026-04-09T12:55:00Z
7
value 0.00291
scoring_system epss
scoring_elements 0.52517
published_at 2026-04-08T12:55:00Z
8
value 0.00291
scoring_system epss
scoring_elements 0.52464
published_at 2026-04-07T12:55:00Z
9
value 0.00291
scoring_system epss
scoring_elements 0.52498
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-25119
1
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
2
reference_url https://github.com/TYPO3/typo3/commit/14d101359c71ee963cf51ad0c8ae777b7b9ec9a1
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/14d101359c71ee963cf51ad0c8ae777b7b9ec9a1
3
reference_url https://github.com/TYPO3/typo3/commit/df486372ea56fac241d3c96ad43a7729fee64557
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/df486372ea56fac241d3c96ad43a7729fee64557
4
reference_url https://github.com/TYPO3/typo3/commit/fa12667c046342ebfd9b159c646aeafdbc52fcfd
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/fa12667c046342ebfd9b159c646aeafdbc52fcfd
5
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-h47m-3f78-qp9g
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:01:19Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-h47m-3f78-qp9g
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25119
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25119
7
reference_url https://typo3.org/security/advisory/typo3-core-sa-2024-004
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:01:19Z/
url https://typo3.org/security/advisory/typo3-core-sa-2024-004
8
reference_url https://github.com/advisories/GHSA-h47m-3f78-qp9g
reference_id GHSA-h47m-3f78-qp9g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h47m-3f78-qp9g
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.57
purl pkg:composer/typo3/cms-core@8.7.57
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.57
1
url pkg:composer/typo3/cms-core@9.5.46
purl pkg:composer/typo3/cms-core@9.5.46
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.46
2
url pkg:composer/typo3/cms-core@10.4.43
purl pkg:composer/typo3/cms-core@10.4.43
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.43
3
url pkg:composer/typo3/cms-core@11.5.35
purl pkg:composer/typo3/cms-core@11.5.35
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-mud2-s4rc-fuf6
6
vulnerability VCID-nubu-f1sc-gbes
7
vulnerability VCID-xy6y-312d-rygj
8
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.35
4
url pkg:composer/typo3/cms-core@12.4.11
purl pkg:composer/typo3/cms-core@12.4.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-jxw7-skw6-q7bg
6
vulnerability VCID-mud2-s4rc-fuf6
7
vulnerability VCID-nubu-f1sc-gbes
8
vulnerability VCID-xy6y-312d-rygj
9
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11
5
url pkg:composer/typo3/cms-core@13.0.1
purl pkg:composer/typo3/cms-core@13.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-jxw7-skw6-q7bg
6
vulnerability VCID-mud2-s4rc-fuf6
7
vulnerability VCID-nubu-f1sc-gbes
8
vulnerability VCID-xy6y-312d-rygj
9
vulnerability VCID-yxy9-ngwb-6qdm
10
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1
aliases CVE-2024-25119, GHSA-h47m-3f78-qp9g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g4uc-qeb6-myed
10
url VCID-gv1b-xtv4-4yg3
vulnerability_id VCID-gv1b-xtv4-4yg3
summary 
TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords
### Problem
Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account.

### Solution
Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described.

### Credits
Thanks to the TYPO3 framework merger Christian Kuhn and external security researchers Maximilian Beckmann, Klaus-Günther Schmidt who reported this issue, and TYPO3 security team member Oliver Hader who fixed the issue.

### References
* [TYPO3-CORE-SA-2024-003](https://typo3.org/security/advisory/typo3-core-sa-2024-003)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-25118
reference_id
reference_type
scores
0
value 0.00508
scoring_system epss
scoring_elements 0.66278
published_at 2026-04-02T12:55:00Z
1
value 0.00508
scoring_system epss
scoring_elements 0.66361
published_at 2026-04-18T12:55:00Z
2
value 0.00508
scoring_system epss
scoring_elements 0.66346
published_at 2026-04-16T12:55:00Z
3
value 0.00508
scoring_system epss
scoring_elements 0.66311
published_at 2026-04-13T12:55:00Z
4
value 0.00508
scoring_system epss
scoring_elements 0.66342
published_at 2026-04-12T12:55:00Z
5
value 0.00508
scoring_system epss
scoring_elements 0.66355
published_at 2026-04-11T12:55:00Z
6
value 0.00508
scoring_system epss
scoring_elements 0.66335
published_at 2026-04-09T12:55:00Z
7
value 0.00508
scoring_system epss
scoring_elements 0.66321
published_at 2026-04-08T12:55:00Z
8
value 0.00508
scoring_system epss
scoring_elements 0.66274
published_at 2026-04-07T12:55:00Z
9
value 0.00508
scoring_system epss
scoring_elements 0.66304
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-25118
1
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
2
reference_url https://github.com/TYPO3/typo3/commit/1186b2fec8a665a8f228ed66e6d60abf8407c17b
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/1186b2fec8a665a8f228ed66e6d60abf8407c17b
3
reference_url https://github.com/TYPO3/typo3/commit/c7a135c25a14b852eebe4335f21ba3c606188f3a
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/c7a135c25a14b852eebe4335f21ba3c606188f3a
4
reference_url https://github.com/TYPO3/typo3/commit/cafc5af7fdce7734e6c8f9ecf2efd17b246fc049
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/cafc5af7fdce7734e6c8f9ecf2efd17b246fc049
5
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-38r2-5695-334w
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T17:58:02Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-38r2-5695-334w
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25118
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25118
7
reference_url https://typo3.org/security/advisory/typo3-core-sa-2024-003
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T17:58:02Z/
url https://typo3.org/security/advisory/typo3-core-sa-2024-003
8
reference_url https://github.com/advisories/GHSA-38r2-5695-334w
reference_id GHSA-38r2-5695-334w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-38r2-5695-334w
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.57
purl pkg:composer/typo3/cms-core@8.7.57
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.57
1
url pkg:composer/typo3/cms-core@9.5.46
purl pkg:composer/typo3/cms-core@9.5.46
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.46
2
url pkg:composer/typo3/cms-core@10.4.43
purl pkg:composer/typo3/cms-core@10.4.43
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.43
3
url pkg:composer/typo3/cms-core@11.5.35
purl pkg:composer/typo3/cms-core@11.5.35
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-mud2-s4rc-fuf6
6
vulnerability VCID-nubu-f1sc-gbes
7
vulnerability VCID-xy6y-312d-rygj
8
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.35
4
url pkg:composer/typo3/cms-core@12.4.11
purl pkg:composer/typo3/cms-core@12.4.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-jxw7-skw6-q7bg
6
vulnerability VCID-mud2-s4rc-fuf6
7
vulnerability VCID-nubu-f1sc-gbes
8
vulnerability VCID-xy6y-312d-rygj
9
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11
5
url pkg:composer/typo3/cms-core@13.0.1
purl pkg:composer/typo3/cms-core@13.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-jxw7-skw6-q7bg
6
vulnerability VCID-mud2-s4rc-fuf6
7
vulnerability VCID-nubu-f1sc-gbes
8
vulnerability VCID-xy6y-312d-rygj
9
vulnerability VCID-yxy9-ngwb-6qdm
10
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1
aliases CVE-2024-25118, GHSA-38r2-5695-334w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gv1b-xtv4-4yg3
11
url VCID-h6y3-7gsq-skh2
vulnerability_id VCID-h6y3-7gsq-skh2
summary 
TYPO3 vulnerable to Weak Authentication in Session Handling
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability has been addressed in versions 8.7.55, 9.5.44, 10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-47127
reference_id
reference_type
scores
0
value 0.00181
scoring_system epss
scoring_elements 0.39866
published_at 2026-04-02T12:55:00Z
1
value 0.00181
scoring_system epss
scoring_elements 0.39861
published_at 2026-04-18T12:55:00Z
2
value 0.00181
scoring_system epss
scoring_elements 0.39839
published_at 2026-04-13T12:55:00Z
3
value 0.00181
scoring_system epss
scoring_elements 0.39856
published_at 2026-04-12T12:55:00Z
4
value 0.00181
scoring_system epss
scoring_elements 0.3989
published_at 2026-04-11T12:55:00Z
5
value 0.00181
scoring_system epss
scoring_elements 0.3988
published_at 2026-04-09T12:55:00Z
6
value 0.00181
scoring_system epss
scoring_elements 0.39867
published_at 2026-04-08T12:55:00Z
7
value 0.00181
scoring_system epss
scoring_elements 0.39812
published_at 2026-04-07T12:55:00Z
8
value 0.00181
scoring_system epss
scoring_elements 0.39889
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-47127
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2023-47127.yaml
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2023-47127.yaml
2
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
3
reference_url https://github.com/TYPO3/typo3/commit/535dfbdc54fd5362e0bc08d911db44eac7f64019
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T20:41:35Z/
url https://github.com/TYPO3/typo3/commit/535dfbdc54fd5362e0bc08d911db44eac7f64019
4
reference_url https://typo3.org/security/advisory/typo3-core-sa-2023-006
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T20:41:35Z/
url https://typo3.org/security/advisory/typo3-core-sa-2023-006
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-47127
reference_id CVE-2023-47127
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-47127
6
reference_url https://github.com/advisories/GHSA-3vmm-7h4j-69rm
reference_id GHSA-3vmm-7h4j-69rm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3vmm-7h4j-69rm
7
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-3vmm-7h4j-69rm
reference_id GHSA-3vmm-7h4j-69rm
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T20:41:35Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-3vmm-7h4j-69rm
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.55
purl pkg:composer/typo3/cms-core@8.7.55
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.55
1
url pkg:composer/typo3/cms-core@9.5.44
purl pkg:composer/typo3/cms-core@9.5.44
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.44
2
url pkg:composer/typo3/cms-core@10.4.41
purl pkg:composer/typo3/cms-core@10.4.41
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.41
3
url pkg:composer/typo3/cms-core@11.5.33
purl pkg:composer/typo3/cms-core@11.5.33
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-mud2-s4rc-fuf6
9
vulnerability VCID-n7ng-zkkb-2qaz
10
vulnerability VCID-nubu-f1sc-gbes
11
vulnerability VCID-taj6-zj2n-5kg8
12
vulnerability VCID-xy6y-312d-rygj
13
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.33
4
url pkg:composer/typo3/cms-core@12.4.8
purl pkg:composer/typo3/cms-core@12.4.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-jxw7-skw6-q7bg
9
vulnerability VCID-mud2-s4rc-fuf6
10
vulnerability VCID-n7ng-zkkb-2qaz
11
vulnerability VCID-nubu-f1sc-gbes
12
vulnerability VCID-taj6-zj2n-5kg8
13
vulnerability VCID-xy6y-312d-rygj
14
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.8
aliases CVE-2023-47127, GHSA-3vmm-7h4j-69rm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h6y3-7gsq-skh2
12
url VCID-he5m-6wj4-rbhc
vulnerability_id VCID-he5m-6wj4-rbhc
summary 
Broken Access Control in Form Framework
### Problem
Due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework.

In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation.

A valid backend user account with access to the form module is needed to exploit this vulnerability.

### Solution
Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.

### Credits
Thanks to Richie Lee who reported this issue and to TYPO3 contributor Ralf Zimmermann who fixed the issue.

### References
* [TYPO3-CORE-SA-2021-003](https://typo3.org/security/advisory/typo3-core-sa-2021-003)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21357
reference_id
reference_type
scores
0
value 0.01121
scoring_system epss
scoring_elements 0.78276
published_at 2026-04-18T12:55:00Z
1
value 0.01121
scoring_system epss
scoring_elements 0.78191
published_at 2026-04-01T12:55:00Z
2
value 0.01121
scoring_system epss
scoring_elements 0.78199
published_at 2026-04-02T12:55:00Z
3
value 0.01121
scoring_system epss
scoring_elements 0.78229
published_at 2026-04-04T12:55:00Z
4
value 0.01121
scoring_system epss
scoring_elements 0.78212
published_at 2026-04-07T12:55:00Z
5
value 0.01121
scoring_system epss
scoring_elements 0.78238
published_at 2026-04-08T12:55:00Z
6
value 0.01121
scoring_system epss
scoring_elements 0.78243
published_at 2026-04-09T12:55:00Z
7
value 0.01121
scoring_system epss
scoring_elements 0.78269
published_at 2026-04-11T12:55:00Z
8
value 0.01121
scoring_system epss
scoring_elements 0.78252
published_at 2026-04-12T12:55:00Z
9
value 0.01121
scoring_system epss
scoring_elements 0.78248
published_at 2026-04-13T12:55:00Z
10
value 0.01121
scoring_system epss
scoring_elements 0.78279
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21357
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21357.yaml
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21357.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21357.yaml
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21357.yaml
3
reference_url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3vg7-jw9m-pc3f
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3vg7-jw9m-pc3f
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21357
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21357
5
reference_url https://packagist.org/packages/typo3/cms-form
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/typo3/cms-form
6
reference_url https://typo3.org/security/advisory/typo3-core-sa-2021-003
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2021-003
7
reference_url https://github.com/advisories/GHSA-3vg7-jw9m-pc3f
reference_id GHSA-3vg7-jw9m-pc3f
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3vg7-jw9m-pc3f
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.40
purl pkg:composer/typo3/cms-core@8.7.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ekfd-wp8z-d7e1
1
vulnerability VCID-n15v-ta9h-6ffb
2
vulnerability VCID-s64f-x81f-b7ce
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.40
1
url pkg:composer/typo3/cms-core@9.5.25
purl pkg:composer/typo3/cms-core@9.5.25
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4jpa-6fqh-hbfg
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-5paq-5frf-43ed
3
vulnerability VCID-65ue-7jd9-23gf
4
vulnerability VCID-6a9t-8dmn-s3bv
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-axvk-13qf-tka7
7
vulnerability VCID-b6er-h7dm-3bev
8
vulnerability VCID-bajy-qbwq-fufn
9
vulnerability VCID-e32h-8q61-hbgc
10
vulnerability VCID-ekfd-wp8z-d7e1
11
vulnerability VCID-g4uc-qeb6-myed
12
vulnerability VCID-gv1b-xtv4-4yg3
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n15v-ta9h-6ffb
17
vulnerability VCID-n7ng-zkkb-2qaz
18
vulnerability VCID-nubu-f1sc-gbes
19
vulnerability VCID-remd-55jh-r3g5
20
vulnerability VCID-s55j-8hbt-akhn
21
vulnerability VCID-s64f-x81f-b7ce
22
vulnerability VCID-t1n7-eswt-73gw
23
vulnerability VCID-taj6-zj2n-5kg8
24
vulnerability VCID-ve7g-8st5-wffb
25
vulnerability VCID-vyvy-y3cw-hbgr
26
vulnerability VCID-w13x-3rp9-wyej
27
vulnerability VCID-xy6y-312d-rygj
28
vulnerability VCID-y32z-2d3f-gkgw
29
vulnerability VCID-zdq2-dhb2-6kaq
30
vulnerability VCID-zn99-ywte-33g6
31
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25
2
url pkg:composer/typo3/cms-core@10.4.14
purl pkg:composer/typo3/cms-core@10.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-6a9t-8dmn-s3bv
7
vulnerability VCID-8d2m-1ffv-jqe1
8
vulnerability VCID-8sdd-b1bn-cuhx
9
vulnerability VCID-av8u-rvzq-4fc7
10
vulnerability VCID-axvk-13qf-tka7
11
vulnerability VCID-b6er-h7dm-3bev
12
vulnerability VCID-bajy-qbwq-fufn
13
vulnerability VCID-e32h-8q61-hbgc
14
vulnerability VCID-ekfd-wp8z-d7e1
15
vulnerability VCID-g4uc-qeb6-myed
16
vulnerability VCID-gv1b-xtv4-4yg3
17
vulnerability VCID-gyyu-n3b1-zbcj
18
vulnerability VCID-h6y3-7gsq-skh2
19
vulnerability VCID-mnz3-rj21-67ad
20
vulnerability VCID-mud2-s4rc-fuf6
21
vulnerability VCID-n15v-ta9h-6ffb
22
vulnerability VCID-n7ng-zkkb-2qaz
23
vulnerability VCID-nubu-f1sc-gbes
24
vulnerability VCID-remd-55jh-r3g5
25
vulnerability VCID-s55j-8hbt-akhn
26
vulnerability VCID-s64f-x81f-b7ce
27
vulnerability VCID-t1n7-eswt-73gw
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-ve7g-8st5-wffb
30
vulnerability VCID-vwb2-a84s-5qak
31
vulnerability VCID-vyvy-y3cw-hbgr
32
vulnerability VCID-w13x-3rp9-wyej
33
vulnerability VCID-xy6y-312d-rygj
34
vulnerability VCID-y32z-2d3f-gkgw
35
vulnerability VCID-zdq2-dhb2-6kaq
36
vulnerability VCID-zn99-ywte-33g6
37
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14
3
url pkg:composer/typo3/cms-core@11.1.1
purl pkg:composer/typo3/cms-core@11.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-6a9t-8dmn-s3bv
7
vulnerability VCID-8d2m-1ffv-jqe1
8
vulnerability VCID-8sdd-b1bn-cuhx
9
vulnerability VCID-av8u-rvzq-4fc7
10
vulnerability VCID-axvk-13qf-tka7
11
vulnerability VCID-b6er-h7dm-3bev
12
vulnerability VCID-bajy-qbwq-fufn
13
vulnerability VCID-e32h-8q61-hbgc
14
vulnerability VCID-ekfd-wp8z-d7e1
15
vulnerability VCID-g4uc-qeb6-myed
16
vulnerability VCID-gv1b-xtv4-4yg3
17
vulnerability VCID-gyyu-n3b1-zbcj
18
vulnerability VCID-h6y3-7gsq-skh2
19
vulnerability VCID-mnz3-rj21-67ad
20
vulnerability VCID-mud2-s4rc-fuf6
21
vulnerability VCID-n15v-ta9h-6ffb
22
vulnerability VCID-n7ng-zkkb-2qaz
23
vulnerability VCID-nubu-f1sc-gbes
24
vulnerability VCID-remd-55jh-r3g5
25
vulnerability VCID-s55j-8hbt-akhn
26
vulnerability VCID-s64f-x81f-b7ce
27
vulnerability VCID-t1n7-eswt-73gw
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-uyeu-a3xr-fkh4
30
vulnerability VCID-ve7g-8st5-wffb
31
vulnerability VCID-vwb2-a84s-5qak
32
vulnerability VCID-vyvy-y3cw-hbgr
33
vulnerability VCID-w13x-3rp9-wyej
34
vulnerability VCID-xy6y-312d-rygj
35
vulnerability VCID-y32z-2d3f-gkgw
36
vulnerability VCID-zdq2-dhb2-6kaq
37
vulnerability VCID-zn99-ywte-33g6
38
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1
aliases CVE-2021-21357, GHSA-3vg7-jw9m-pc3f
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-he5m-6wj4-rbhc
13
url VCID-mnz3-rj21-67ad
vulnerability_id VCID-mnz3-rj21-67ad
summary 
TYPO3 CMS vulnerable to User Enumeration via Response Timing
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (4.9)

### Problem
It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts.

Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new `MimicServiceInterface::mimicAuthUser`, which simulates corresponding times regular processing would usually take.

### Solution
Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above.

### Credits
Thanks to Vautia who reported this issue and to TYPO3 core & security team members Oliver Hader who fixed the issue.

### References
* [TYPO3-CORE-SA-2022-007](https://typo3.org/security/advisory/typo3-core-sa-2022-007)
* [Vulnerability Report on huntr.dev](https://huntr.dev/bounties/7d519735-2877-4fad-bd77-accde3e290a7/) (embargoed +30 days)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-36105
reference_id
reference_type
scores
0
value 0.00283
scoring_system epss
scoring_elements 0.51649
published_at 2026-04-02T12:55:00Z
1
value 0.00283
scoring_system epss
scoring_elements 0.51712
published_at 2026-04-12T12:55:00Z
2
value 0.00283
scoring_system epss
scoring_elements 0.51734
published_at 2026-04-11T12:55:00Z
3
value 0.00283
scoring_system epss
scoring_elements 0.51685
published_at 2026-04-09T12:55:00Z
4
value 0.00283
scoring_system epss
scoring_elements 0.51689
published_at 2026-04-08T12:55:00Z
5
value 0.00283
scoring_system epss
scoring_elements 0.51634
published_at 2026-04-07T12:55:00Z
6
value 0.00283
scoring_system epss
scoring_elements 0.51674
published_at 2026-04-04T12:55:00Z
7
value 0.00283
scoring_system epss
scoring_elements 0.51744
published_at 2026-04-18T12:55:00Z
8
value 0.00283
scoring_system epss
scoring_elements 0.51737
published_at 2026-04-16T12:55:00Z
9
value 0.00283
scoring_system epss
scoring_elements 0.51696
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-36105
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36105.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36105.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36105.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36105.yaml
3
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
4
reference_url https://github.com/TYPO3/typo3/commit/f0fc9c4cd7c38207c30dd158de53ee5d9d6f41a2
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/f0fc9c4cd7c38207c30dd158de53ee5d9d6f41a2
5
reference_url https://github.com/TYPO3/typo3/commit/f8b83ce15d4ea275a5a5e564e5d324242f7937b6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:34Z/
url https://github.com/TYPO3/typo3/commit/f8b83ce15d4ea275a5a5e564e5d324242f7937b6
6
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7r
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:34Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7r
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-36105
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-36105
8
reference_url https://typo3.org/security/advisory/typo3-core-sa-2022-007
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:34Z/
url https://typo3.org/security/advisory/typo3-core-sa-2022-007
9
reference_url https://github.com/advisories/GHSA-m392-235j-9r7r
reference_id GHSA-m392-235j-9r7r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m392-235j-9r7r
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.48
purl pkg:composer/typo3/cms-core@8.7.48
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.48
1
url pkg:composer/typo3/cms-core@9.5.37
purl pkg:composer/typo3/cms-core@9.5.37
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.37
2
url pkg:composer/typo3/cms-core@10.4.32
purl pkg:composer/typo3/cms-core@10.4.32
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-8sdd-b1bn-cuhx
5
vulnerability VCID-axvk-13qf-tka7
6
vulnerability VCID-g4uc-qeb6-myed
7
vulnerability VCID-gv1b-xtv4-4yg3
8
vulnerability VCID-gyyu-n3b1-zbcj
9
vulnerability VCID-h6y3-7gsq-skh2
10
vulnerability VCID-mud2-s4rc-fuf6
11
vulnerability VCID-n7ng-zkkb-2qaz
12
vulnerability VCID-nubu-f1sc-gbes
13
vulnerability VCID-t1n7-eswt-73gw
14
vulnerability VCID-taj6-zj2n-5kg8
15
vulnerability VCID-ve7g-8st5-wffb
16
vulnerability VCID-vyvy-y3cw-hbgr
17
vulnerability VCID-w13x-3rp9-wyej
18
vulnerability VCID-xy6y-312d-rygj
19
vulnerability VCID-zdq2-dhb2-6kaq
20
vulnerability VCID-zn99-ywte-33g6
21
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.32
3
url pkg:composer/typo3/cms-core@11.5.16
purl pkg:composer/typo3/cms-core@11.5.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-8sdd-b1bn-cuhx
5
vulnerability VCID-axvk-13qf-tka7
6
vulnerability VCID-g4uc-qeb6-myed
7
vulnerability VCID-gv1b-xtv4-4yg3
8
vulnerability VCID-gyyu-n3b1-zbcj
9
vulnerability VCID-h6y3-7gsq-skh2
10
vulnerability VCID-mud2-s4rc-fuf6
11
vulnerability VCID-n7ng-zkkb-2qaz
12
vulnerability VCID-nubu-f1sc-gbes
13
vulnerability VCID-t1n7-eswt-73gw
14
vulnerability VCID-taj6-zj2n-5kg8
15
vulnerability VCID-ve7g-8st5-wffb
16
vulnerability VCID-vyvy-y3cw-hbgr
17
vulnerability VCID-w13x-3rp9-wyej
18
vulnerability VCID-xy6y-312d-rygj
19
vulnerability VCID-zdq2-dhb2-6kaq
20
vulnerability VCID-zn99-ywte-33g6
21
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.16
aliases CVE-2022-36105, GHSA-m392-235j-9r7r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mnz3-rj21-67ad
14
url VCID-n15v-ta9h-6ffb
vulnerability_id VCID-n15v-ta9h-6ffb
summary 
Inclusion of Sensitive Information in Log Files
TYPO3 is an open source PHP based web content management system. User credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3 contain a patch for this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32767
reference_id
reference_type
scores
0
value 0.00327
scoring_system epss
scoring_elements 0.55519
published_at 2026-04-01T12:55:00Z
1
value 0.00327
scoring_system epss
scoring_elements 0.55701
published_at 2026-04-18T12:55:00Z
2
value 0.00327
scoring_system epss
scoring_elements 0.55697
published_at 2026-04-16T12:55:00Z
3
value 0.00327
scoring_system epss
scoring_elements 0.55658
published_at 2026-04-13T12:55:00Z
4
value 0.00327
scoring_system epss
scoring_elements 0.55676
published_at 2026-04-12T12:55:00Z
5
value 0.00327
scoring_system epss
scoring_elements 0.55696
published_at 2026-04-11T12:55:00Z
6
value 0.00327
scoring_system epss
scoring_elements 0.55687
published_at 2026-04-09T12:55:00Z
7
value 0.00327
scoring_system epss
scoring_elements 0.55684
published_at 2026-04-08T12:55:00Z
8
value 0.00327
scoring_system epss
scoring_elements 0.55632
published_at 2026-04-07T12:55:00Z
9
value 0.00327
scoring_system epss
scoring_elements 0.55654
published_at 2026-04-04T12:55:00Z
10
value 0.00327
scoring_system epss
scoring_elements 0.5563
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32767
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32767.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32767.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32767.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32767.yaml
3
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
4
reference_url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-34fr-fhqr-7235
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-34fr-fhqr-7235
5
reference_url https://github.com/TYPO3/typo3/commit/0b4950163b8919451964133febc65bcdfcec721c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/0b4950163b8919451964133febc65bcdfcec721c
6
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-34fr-fhqr-7235
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/security/advisories/GHSA-34fr-fhqr-7235
7
reference_url https://typo3.org/security/advisory/typo3-core-sa-2021-012
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2021-012
8
reference_url https://typo3.org/security/advisory/typo3-core-sa-2021-013
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2021-013
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32767
reference_id CVE-2021-32767
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-32767
10
reference_url https://github.com/advisories/GHSA-34fr-fhqr-7235
reference_id GHSA-34fr-fhqr-7235
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-34fr-fhqr-7235
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.41
purl pkg:composer/typo3/cms-core@8.7.41
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-y32z-2d3f-gkgw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.41
1
url pkg:composer/typo3/cms-core@9.5.28
purl pkg:composer/typo3/cms-core@9.5.28
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4jpa-6fqh-hbfg
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-5paq-5frf-43ed
3
vulnerability VCID-65ue-7jd9-23gf
4
vulnerability VCID-8d2m-1ffv-jqe1
5
vulnerability VCID-axvk-13qf-tka7
6
vulnerability VCID-b6er-h7dm-3bev
7
vulnerability VCID-bajy-qbwq-fufn
8
vulnerability VCID-e32h-8q61-hbgc
9
vulnerability VCID-ekfd-wp8z-d7e1
10
vulnerability VCID-g4uc-qeb6-myed
11
vulnerability VCID-gv1b-xtv4-4yg3
12
vulnerability VCID-h6y3-7gsq-skh2
13
vulnerability VCID-mnz3-rj21-67ad
14
vulnerability VCID-mud2-s4rc-fuf6
15
vulnerability VCID-n7ng-zkkb-2qaz
16
vulnerability VCID-nubu-f1sc-gbes
17
vulnerability VCID-remd-55jh-r3g5
18
vulnerability VCID-s55j-8hbt-akhn
19
vulnerability VCID-s64f-x81f-b7ce
20
vulnerability VCID-t1n7-eswt-73gw
21
vulnerability VCID-taj6-zj2n-5kg8
22
vulnerability VCID-ve7g-8st5-wffb
23
vulnerability VCID-vyvy-y3cw-hbgr
24
vulnerability VCID-w13x-3rp9-wyej
25
vulnerability VCID-xy6y-312d-rygj
26
vulnerability VCID-y32z-2d3f-gkgw
27
vulnerability VCID-zdq2-dhb2-6kaq
28
vulnerability VCID-zn99-ywte-33g6
29
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.28
2
url pkg:composer/typo3/cms-core@10.4.18
purl pkg:composer/typo3/cms-core@10.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-8d2m-1ffv-jqe1
7
vulnerability VCID-8sdd-b1bn-cuhx
8
vulnerability VCID-av8u-rvzq-4fc7
9
vulnerability VCID-axvk-13qf-tka7
10
vulnerability VCID-b6er-h7dm-3bev
11
vulnerability VCID-bajy-qbwq-fufn
12
vulnerability VCID-e32h-8q61-hbgc
13
vulnerability VCID-g4uc-qeb6-myed
14
vulnerability VCID-gv1b-xtv4-4yg3
15
vulnerability VCID-gyyu-n3b1-zbcj
16
vulnerability VCID-h6y3-7gsq-skh2
17
vulnerability VCID-mnz3-rj21-67ad
18
vulnerability VCID-mud2-s4rc-fuf6
19
vulnerability VCID-n7ng-zkkb-2qaz
20
vulnerability VCID-nubu-f1sc-gbes
21
vulnerability VCID-remd-55jh-r3g5
22
vulnerability VCID-s55j-8hbt-akhn
23
vulnerability VCID-t1n7-eswt-73gw
24
vulnerability VCID-taj6-zj2n-5kg8
25
vulnerability VCID-ve7g-8st5-wffb
26
vulnerability VCID-vwb2-a84s-5qak
27
vulnerability VCID-vyvy-y3cw-hbgr
28
vulnerability VCID-w13x-3rp9-wyej
29
vulnerability VCID-xy6y-312d-rygj
30
vulnerability VCID-y32z-2d3f-gkgw
31
vulnerability VCID-zdq2-dhb2-6kaq
32
vulnerability VCID-zn99-ywte-33g6
33
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.18
3
url pkg:composer/typo3/cms-core@11.3.1
purl pkg:composer/typo3/cms-core@11.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-8d2m-1ffv-jqe1
7
vulnerability VCID-8sdd-b1bn-cuhx
8
vulnerability VCID-av8u-rvzq-4fc7
9
vulnerability VCID-axvk-13qf-tka7
10
vulnerability VCID-b6er-h7dm-3bev
11
vulnerability VCID-bajy-qbwq-fufn
12
vulnerability VCID-e32h-8q61-hbgc
13
vulnerability VCID-g4uc-qeb6-myed
14
vulnerability VCID-gv1b-xtv4-4yg3
15
vulnerability VCID-gyyu-n3b1-zbcj
16
vulnerability VCID-h6y3-7gsq-skh2
17
vulnerability VCID-jjbn-6efk-nud2
18
vulnerability VCID-mnz3-rj21-67ad
19
vulnerability VCID-mud2-s4rc-fuf6
20
vulnerability VCID-n7ng-zkkb-2qaz
21
vulnerability VCID-nubu-f1sc-gbes
22
vulnerability VCID-remd-55jh-r3g5
23
vulnerability VCID-s55j-8hbt-akhn
24
vulnerability VCID-t1n7-eswt-73gw
25
vulnerability VCID-taj6-zj2n-5kg8
26
vulnerability VCID-uyeu-a3xr-fkh4
27
vulnerability VCID-ve7g-8st5-wffb
28
vulnerability VCID-vwb2-a84s-5qak
29
vulnerability VCID-vyvy-y3cw-hbgr
30
vulnerability VCID-w13x-3rp9-wyej
31
vulnerability VCID-xy6y-312d-rygj
32
vulnerability VCID-y32z-2d3f-gkgw
33
vulnerability VCID-zdq2-dhb2-6kaq
34
vulnerability VCID-zn99-ywte-33g6
35
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.3.1
aliases CVE-2021-32767, GHSA-34fr-fhqr-7235
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n15v-ta9h-6ffb
15
url VCID-n7ng-zkkb-2qaz
vulnerability_id VCID-n7ng-zkkb-2qaz
summary 
TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme
### Problem
The TYPO3-specific [`t3://` URI scheme](https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references) could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account.

### Solution
Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described.

### Credits
Thanks to Richie Lee who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue.

### References
* [TYPO3-CORE-SA-2024-005](https://typo3.org/security/advisory/typo3-core-sa-2024-005)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-25120
reference_id
reference_type
scores
0
value 0.00188
scoring_system epss
scoring_elements 0.40722
published_at 2026-04-04T12:55:00Z
1
value 0.00188
scoring_system epss
scoring_elements 0.40681
published_at 2026-04-18T12:55:00Z
2
value 0.00188
scoring_system epss
scoring_elements 0.40711
published_at 2026-04-16T12:55:00Z
3
value 0.00188
scoring_system epss
scoring_elements 0.40666
published_at 2026-04-13T12:55:00Z
4
value 0.00188
scoring_system epss
scoring_elements 0.40684
published_at 2026-04-12T12:55:00Z
5
value 0.00188
scoring_system epss
scoring_elements 0.40719
published_at 2026-04-11T12:55:00Z
6
value 0.00188
scoring_system epss
scoring_elements 0.40702
published_at 2026-04-09T12:55:00Z
7
value 0.00188
scoring_system epss
scoring_elements 0.40695
published_at 2026-04-08T12:55:00Z
8
value 0.00188
scoring_system epss
scoring_elements 0.40645
published_at 2026-04-07T12:55:00Z
9
value 0.00188
scoring_system epss
scoring_elements 0.40694
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-25120
1
reference_url https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:55:10Z/
url https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references
2
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
3
reference_url https://github.com/TYPO3/typo3/commit/2de87ff113ba24333ab7cbb8078588743f8958d6
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/2de87ff113ba24333ab7cbb8078588743f8958d6
4
reference_url https://github.com/TYPO3/typo3/commit/33f4d279b82bca0a509227a17065244c6156e68f
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/33f4d279b82bca0a509227a17065244c6156e68f
5
reference_url https://github.com/TYPO3/typo3/commit/ae0dfc4c058a90c10eedb3f49cfaf33164d21cdd
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/ae0dfc4c058a90c10eedb3f49cfaf33164d21cdd
6
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:55:10Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25120
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25120
8
reference_url https://typo3.org/security/advisory/typo3-core-sa-2024-005
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:55:10Z/
url https://typo3.org/security/advisory/typo3-core-sa-2024-005
9
reference_url https://github.com/advisories/GHSA-wf85-8hx9-gj7c
reference_id GHSA-wf85-8hx9-gj7c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wf85-8hx9-gj7c
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.57
purl pkg:composer/typo3/cms-core@8.7.57
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.57
1
url pkg:composer/typo3/cms-core@9.5.46
purl pkg:composer/typo3/cms-core@9.5.46
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.46
2
url pkg:composer/typo3/cms-core@10.4.43
purl pkg:composer/typo3/cms-core@10.4.43
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.43
3
url pkg:composer/typo3/cms-core@11.5.35
purl pkg:composer/typo3/cms-core@11.5.35
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-mud2-s4rc-fuf6
6
vulnerability VCID-nubu-f1sc-gbes
7
vulnerability VCID-xy6y-312d-rygj
8
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.35
4
url pkg:composer/typo3/cms-core@12.4.11
purl pkg:composer/typo3/cms-core@12.4.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-jxw7-skw6-q7bg
6
vulnerability VCID-mud2-s4rc-fuf6
7
vulnerability VCID-nubu-f1sc-gbes
8
vulnerability VCID-xy6y-312d-rygj
9
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11
5
url pkg:composer/typo3/cms-core@13.0.1
purl pkg:composer/typo3/cms-core@13.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-jxw7-skw6-q7bg
6
vulnerability VCID-mud2-s4rc-fuf6
7
vulnerability VCID-nubu-f1sc-gbes
8
vulnerability VCID-xy6y-312d-rygj
9
vulnerability VCID-yxy9-ngwb-6qdm
10
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1
aliases CVE-2024-25120, GHSA-wf85-8hx9-gj7c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n7ng-zkkb-2qaz
16
url VCID-s55j-8hbt-akhn
vulnerability_id VCID-s55j-8hbt-akhn
summary 
Information Disclosure via Export Module
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (4.0)

### Problem
The export functionality fails to limit the result set to allowed columns of a particular database table. This allows authenticated users to export internal details of database tables to which they already have access.

### Solution
Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

In order to address this issue, access to mentioned export functionality is completely denied for regular backend users.

ℹ️  **Strong security defaults - Manual actions required**
Following User TSconfig setting would allow using the export functionality for particular users:
```
options.impexp.enableExportForNonAdminUser = 1
```

### Credits
Thanks to TYPO3 core merger Lina Wolf who reported this issue and to TYPO3 security member Torben Hansen  who fixed the issue.

### References
* [TYPO3-CORE-SA-2022-001](https://typo3.org/security/advisory/typo3-core-sa-2022-001)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-31046
reference_id
reference_type
scores
0
value 0.00148
scoring_system epss
scoring_elements 0.35391
published_at 2026-04-08T12:55:00Z
1
value 0.00148
scoring_system epss
scoring_elements 0.35437
published_at 2026-04-02T12:55:00Z
2
value 0.00148
scoring_system epss
scoring_elements 0.35387
published_at 2026-04-18T12:55:00Z
3
value 0.00148
scoring_system epss
scoring_elements 0.35398
published_at 2026-04-16T12:55:00Z
4
value 0.00148
scoring_system epss
scoring_elements 0.35359
published_at 2026-04-13T12:55:00Z
5
value 0.00148
scoring_system epss
scoring_elements 0.35381
published_at 2026-04-12T12:55:00Z
6
value 0.00148
scoring_system epss
scoring_elements 0.35417
published_at 2026-04-11T12:55:00Z
7
value 0.00148
scoring_system epss
scoring_elements 0.35416
published_at 2026-04-09T12:55:00Z
8
value 0.00148
scoring_system epss
scoring_elements 0.35461
published_at 2026-04-04T12:55:00Z
9
value 0.00148
scoring_system epss
scoring_elements 0.35345
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-31046
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-31046.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-31046.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31046.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31046.yaml
3
reference_url https://github.com/TYPO3-CMS/core
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3-CMS/core
4
reference_url https://github.com/TYPO3/typo3/commit/7447a3d1283017d2ee08737a7972c720001a93e9
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:21Z/
url https://github.com/TYPO3/typo3/commit/7447a3d1283017d2ee08737a7972c720001a93e9
5
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-8gmv-9hwg-w89g
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:21Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-8gmv-9hwg-w89g
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-31046
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-31046
7
reference_url https://typo3.org/security/advisory/typo3-core-sa-2022-001
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:21Z/
url https://typo3.org/security/advisory/typo3-core-sa-2022-001
8
reference_url https://github.com/advisories/GHSA-8gmv-9hwg-w89g
reference_id GHSA-8gmv-9hwg-w89g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8gmv-9hwg-w89g
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.47
purl pkg:composer/typo3/cms-core@8.7.47
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5paq-5frf-43ed
1
vulnerability VCID-b6er-h7dm-3bev
2
vulnerability VCID-mnz3-rj21-67ad
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.47
1
url pkg:composer/typo3/cms-core@9.5.35
purl pkg:composer/typo3/cms-core@9.5.35
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.35
2
url pkg:composer/typo3/cms-core@10.4.29
purl pkg:composer/typo3/cms-core@10.4.29
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4t9s-p25a-cfas
3
vulnerability VCID-5paq-5frf-43ed
4
vulnerability VCID-65ue-7jd9-23gf
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-8sdd-b1bn-cuhx
7
vulnerability VCID-av8u-rvzq-4fc7
8
vulnerability VCID-axvk-13qf-tka7
9
vulnerability VCID-b6er-h7dm-3bev
10
vulnerability VCID-g4uc-qeb6-myed
11
vulnerability VCID-gv1b-xtv4-4yg3
12
vulnerability VCID-gyyu-n3b1-zbcj
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n7ng-zkkb-2qaz
17
vulnerability VCID-nubu-f1sc-gbes
18
vulnerability VCID-t1n7-eswt-73gw
19
vulnerability VCID-taj6-zj2n-5kg8
20
vulnerability VCID-ve7g-8st5-wffb
21
vulnerability VCID-vwb2-a84s-5qak
22
vulnerability VCID-vyvy-y3cw-hbgr
23
vulnerability VCID-w13x-3rp9-wyej
24
vulnerability VCID-xy6y-312d-rygj
25
vulnerability VCID-zdq2-dhb2-6kaq
26
vulnerability VCID-zn99-ywte-33g6
27
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.29
3
url pkg:composer/typo3/cms-core@11.5.11
purl pkg:composer/typo3/cms-core@11.5.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4t9s-p25a-cfas
3
vulnerability VCID-5paq-5frf-43ed
4
vulnerability VCID-65ue-7jd9-23gf
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-8sdd-b1bn-cuhx
7
vulnerability VCID-av8u-rvzq-4fc7
8
vulnerability VCID-axvk-13qf-tka7
9
vulnerability VCID-b6er-h7dm-3bev
10
vulnerability VCID-g4uc-qeb6-myed
11
vulnerability VCID-gv1b-xtv4-4yg3
12
vulnerability VCID-gyyu-n3b1-zbcj
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n7ng-zkkb-2qaz
17
vulnerability VCID-nubu-f1sc-gbes
18
vulnerability VCID-t1n7-eswt-73gw
19
vulnerability VCID-taj6-zj2n-5kg8
20
vulnerability VCID-tnxn-p13f-yuah
21
vulnerability VCID-ve7g-8st5-wffb
22
vulnerability VCID-vwb2-a84s-5qak
23
vulnerability VCID-vyvy-y3cw-hbgr
24
vulnerability VCID-w13x-3rp9-wyej
25
vulnerability VCID-xy6y-312d-rygj
26
vulnerability VCID-zdq2-dhb2-6kaq
27
vulnerability VCID-zn99-ywte-33g6
28
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.11
aliases CVE-2022-31046, GHSA-8gmv-9hwg-w89g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s55j-8hbt-akhn
17
url VCID-s64f-x81f-b7ce
vulnerability_id VCID-s64f-x81f-b7ce
summary 
Cross-site Scripting
TYPO3 contains a cross-site scripting vulnerability. When error messages are not properly encoded, the components `_QueryGenerator_` and `_QueryView_` are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. TYPO3 contain a patch for this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32668
reference_id
reference_type
scores
0
value 0.00364
scoring_system epss
scoring_elements 0.5848
published_at 2026-04-18T12:55:00Z
1
value 0.00364
scoring_system epss
scoring_elements 0.58328
published_at 2026-04-01T12:55:00Z
2
value 0.00364
scoring_system epss
scoring_elements 0.58412
published_at 2026-04-02T12:55:00Z
3
value 0.00364
scoring_system epss
scoring_elements 0.58432
published_at 2026-04-04T12:55:00Z
4
value 0.00364
scoring_system epss
scoring_elements 0.58406
published_at 2026-04-07T12:55:00Z
5
value 0.00364
scoring_system epss
scoring_elements 0.58459
published_at 2026-04-08T12:55:00Z
6
value 0.00364
scoring_system epss
scoring_elements 0.58465
published_at 2026-04-09T12:55:00Z
7
value 0.00364
scoring_system epss
scoring_elements 0.58482
published_at 2026-04-11T12:55:00Z
8
value 0.00364
scoring_system epss
scoring_elements 0.58463
published_at 2026-04-12T12:55:00Z
9
value 0.00364
scoring_system epss
scoring_elements 0.58444
published_at 2026-04-13T12:55:00Z
10
value 0.00364
scoring_system epss
scoring_elements 0.58475
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32668
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32668.yaml
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32668.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32668.yaml
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32668.yaml
3
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
4
reference_url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-6mh3-j5r5-2379
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-6mh3-j5r5-2379
5
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-6mh3-j5r5-2379
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/security/advisories/GHSA-6mh3-j5r5-2379
6
reference_url https://typo3.org/security/advisory/typo3-core-sa-2021-010
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2021-010
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32668
reference_id CVE-2021-32668
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-32668
8
reference_url https://github.com/advisories/GHSA-6mh3-j5r5-2379
reference_id GHSA-6mh3-j5r5-2379
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6mh3-j5r5-2379
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.41
purl pkg:composer/typo3/cms-core@8.7.41
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-y32z-2d3f-gkgw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.41
1
url pkg:composer/typo3/cms-core@9.5.28
purl pkg:composer/typo3/cms-core@9.5.28
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4jpa-6fqh-hbfg
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-5paq-5frf-43ed
3
vulnerability VCID-65ue-7jd9-23gf
4
vulnerability VCID-8d2m-1ffv-jqe1
5
vulnerability VCID-axvk-13qf-tka7
6
vulnerability VCID-b6er-h7dm-3bev
7
vulnerability VCID-bajy-qbwq-fufn
8
vulnerability VCID-e32h-8q61-hbgc
9
vulnerability VCID-ekfd-wp8z-d7e1
10
vulnerability VCID-g4uc-qeb6-myed
11
vulnerability VCID-gv1b-xtv4-4yg3
12
vulnerability VCID-h6y3-7gsq-skh2
13
vulnerability VCID-mnz3-rj21-67ad
14
vulnerability VCID-mud2-s4rc-fuf6
15
vulnerability VCID-n7ng-zkkb-2qaz
16
vulnerability VCID-nubu-f1sc-gbes
17
vulnerability VCID-remd-55jh-r3g5
18
vulnerability VCID-s55j-8hbt-akhn
19
vulnerability VCID-s64f-x81f-b7ce
20
vulnerability VCID-t1n7-eswt-73gw
21
vulnerability VCID-taj6-zj2n-5kg8
22
vulnerability VCID-ve7g-8st5-wffb
23
vulnerability VCID-vyvy-y3cw-hbgr
24
vulnerability VCID-w13x-3rp9-wyej
25
vulnerability VCID-xy6y-312d-rygj
26
vulnerability VCID-y32z-2d3f-gkgw
27
vulnerability VCID-zdq2-dhb2-6kaq
28
vulnerability VCID-zn99-ywte-33g6
29
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.28
2
url pkg:composer/typo3/cms-core@10.4.18
purl pkg:composer/typo3/cms-core@10.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-8d2m-1ffv-jqe1
7
vulnerability VCID-8sdd-b1bn-cuhx
8
vulnerability VCID-av8u-rvzq-4fc7
9
vulnerability VCID-axvk-13qf-tka7
10
vulnerability VCID-b6er-h7dm-3bev
11
vulnerability VCID-bajy-qbwq-fufn
12
vulnerability VCID-e32h-8q61-hbgc
13
vulnerability VCID-g4uc-qeb6-myed
14
vulnerability VCID-gv1b-xtv4-4yg3
15
vulnerability VCID-gyyu-n3b1-zbcj
16
vulnerability VCID-h6y3-7gsq-skh2
17
vulnerability VCID-mnz3-rj21-67ad
18
vulnerability VCID-mud2-s4rc-fuf6
19
vulnerability VCID-n7ng-zkkb-2qaz
20
vulnerability VCID-nubu-f1sc-gbes
21
vulnerability VCID-remd-55jh-r3g5
22
vulnerability VCID-s55j-8hbt-akhn
23
vulnerability VCID-t1n7-eswt-73gw
24
vulnerability VCID-taj6-zj2n-5kg8
25
vulnerability VCID-ve7g-8st5-wffb
26
vulnerability VCID-vwb2-a84s-5qak
27
vulnerability VCID-vyvy-y3cw-hbgr
28
vulnerability VCID-w13x-3rp9-wyej
29
vulnerability VCID-xy6y-312d-rygj
30
vulnerability VCID-y32z-2d3f-gkgw
31
vulnerability VCID-zdq2-dhb2-6kaq
32
vulnerability VCID-zn99-ywte-33g6
33
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.18
3
url pkg:composer/typo3/cms-core@11.3.1
purl pkg:composer/typo3/cms-core@11.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-8d2m-1ffv-jqe1
7
vulnerability VCID-8sdd-b1bn-cuhx
8
vulnerability VCID-av8u-rvzq-4fc7
9
vulnerability VCID-axvk-13qf-tka7
10
vulnerability VCID-b6er-h7dm-3bev
11
vulnerability VCID-bajy-qbwq-fufn
12
vulnerability VCID-e32h-8q61-hbgc
13
vulnerability VCID-g4uc-qeb6-myed
14
vulnerability VCID-gv1b-xtv4-4yg3
15
vulnerability VCID-gyyu-n3b1-zbcj
16
vulnerability VCID-h6y3-7gsq-skh2
17
vulnerability VCID-jjbn-6efk-nud2
18
vulnerability VCID-mnz3-rj21-67ad
19
vulnerability VCID-mud2-s4rc-fuf6
20
vulnerability VCID-n7ng-zkkb-2qaz
21
vulnerability VCID-nubu-f1sc-gbes
22
vulnerability VCID-remd-55jh-r3g5
23
vulnerability VCID-s55j-8hbt-akhn
24
vulnerability VCID-t1n7-eswt-73gw
25
vulnerability VCID-taj6-zj2n-5kg8
26
vulnerability VCID-uyeu-a3xr-fkh4
27
vulnerability VCID-ve7g-8st5-wffb
28
vulnerability VCID-vwb2-a84s-5qak
29
vulnerability VCID-vyvy-y3cw-hbgr
30
vulnerability VCID-w13x-3rp9-wyej
31
vulnerability VCID-xy6y-312d-rygj
32
vulnerability VCID-y32z-2d3f-gkgw
33
vulnerability VCID-zdq2-dhb2-6kaq
34
vulnerability VCID-zn99-ywte-33g6
35
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.3.1
aliases CVE-2021-32668, GHSA-6mh3-j5r5-2379
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s64f-x81f-b7ce
18
url VCID-t1n7-eswt-73gw
vulnerability_id VCID-t1n7-eswt-73gw
summary 
TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework
### Problem
Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code.

The existence of individual TypoScript instructions for a particular form item (known as [`formDefinitionOverrides`](https://docs.typo3.org/c/typo3/cms-form/main/en-us/I/Concepts/FrontendRendering/Index.html#form-element-properties)) and a valid backend user account with access to the form module are needed to exploit this vulnerability.

### Solution
Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

### References
* [TYPO3-CORE-SA-2022-015](https://typo3.org/security/advisory/typo3-core-sa-2022-015)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23503
reference_id
reference_type
scores
0
value 0.00517
scoring_system epss
scoring_elements 0.66719
published_at 2026-04-08T12:55:00Z
1
value 0.00517
scoring_system epss
scoring_elements 0.66759
published_at 2026-04-18T12:55:00Z
2
value 0.00517
scoring_system epss
scoring_elements 0.66745
published_at 2026-04-16T12:55:00Z
3
value 0.00517
scoring_system epss
scoring_elements 0.66711
published_at 2026-04-13T12:55:00Z
4
value 0.00517
scoring_system epss
scoring_elements 0.6674
published_at 2026-04-12T12:55:00Z
5
value 0.00517
scoring_system epss
scoring_elements 0.66754
published_at 2026-04-11T12:55:00Z
6
value 0.00517
scoring_system epss
scoring_elements 0.66734
published_at 2026-04-09T12:55:00Z
7
value 0.00517
scoring_system epss
scoring_elements 0.66671
published_at 2026-04-02T12:55:00Z
8
value 0.00517
scoring_system epss
scoring_elements 0.66697
published_at 2026-04-04T12:55:00Z
9
value 0.00517
scoring_system epss
scoring_elements 0.6667
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23503
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23503.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23503.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23503.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23503.yaml
3
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
4
reference_url https://github.com/TYPO3/typo3/commit/1302e88565821f2159e08b5d818d28de17ecc830
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/1302e88565821f2159e08b5d818d28de17ecc830
5
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-c5wx-6c2c-f7rm
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-18T18:23:57Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-c5wx-6c2c-f7rm
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23503
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23503
7
reference_url https://typo3.org/security/advisory/typo3-core-sa-2022-015
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2022-015
8
reference_url https://github.com/advisories/GHSA-c5wx-6c2c-f7rm
reference_id GHSA-c5wx-6c2c-f7rm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c5wx-6c2c-f7rm
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.49
purl pkg:composer/typo3/cms-core@8.7.49
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.49
1
url pkg:composer/typo3/cms-core@9.5.38
purl pkg:composer/typo3/cms-core@9.5.38
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.38
2
url pkg:composer/typo3/cms-core@10.4.33
purl pkg:composer/typo3/cms-core@10.4.33
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-h6y3-7gsq-skh2
9
vulnerability VCID-mud2-s4rc-fuf6
10
vulnerability VCID-n7ng-zkkb-2qaz
11
vulnerability VCID-nubu-f1sc-gbes
12
vulnerability VCID-taj6-zj2n-5kg8
13
vulnerability VCID-vyvy-y3cw-hbgr
14
vulnerability VCID-xy6y-312d-rygj
15
vulnerability VCID-zn99-ywte-33g6
16
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.33
3
url pkg:composer/typo3/cms-core@11.5.20
purl pkg:composer/typo3/cms-core@11.5.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-h6y3-7gsq-skh2
9
vulnerability VCID-mud2-s4rc-fuf6
10
vulnerability VCID-n7ng-zkkb-2qaz
11
vulnerability VCID-nubu-f1sc-gbes
12
vulnerability VCID-taj6-zj2n-5kg8
13
vulnerability VCID-vyvy-y3cw-hbgr
14
vulnerability VCID-xy6y-312d-rygj
15
vulnerability VCID-zn99-ywte-33g6
16
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.20
4
url pkg:composer/typo3/cms-core@12.1.1
purl pkg:composer/typo3/cms-core@12.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-h6y3-7gsq-skh2
9
vulnerability VCID-jxw7-skw6-q7bg
10
vulnerability VCID-mud2-s4rc-fuf6
11
vulnerability VCID-n7ng-zkkb-2qaz
12
vulnerability VCID-nubu-f1sc-gbes
13
vulnerability VCID-taj6-zj2n-5kg8
14
vulnerability VCID-vyvy-y3cw-hbgr
15
vulnerability VCID-xy6y-312d-rygj
16
vulnerability VCID-zn99-ywte-33g6
17
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.1.1
aliases CVE-2022-23503, GHSA-c5wx-6c2c-f7rm, GMS-2022-8132
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t1n7-eswt-73gw
19
url VCID-t3jn-vwbx-u7cr
vulnerability_id VCID-t3jn-vwbx-u7cr
summary 
Cross-Site Scripting in Content Preview (CType menu)
### Problem
It has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability.

### Solution
Update to TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.

### Credits
Thanks to TYPO3 contributor Oliver Bartsch who reported and fixed the issue.

### References
* [TYPO3-CORE-SA-2021-008](https://typo3.org/security/advisory/typo3-core-sa-2021-008)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21370
reference_id
reference_type
scores
0
value 0.00342
scoring_system epss
scoring_elements 0.56917
published_at 2026-04-18T12:55:00Z
1
value 0.00342
scoring_system epss
scoring_elements 0.56779
published_at 2026-04-01T12:55:00Z
2
value 0.00342
scoring_system epss
scoring_elements 0.56873
published_at 2026-04-02T12:55:00Z
3
value 0.00342
scoring_system epss
scoring_elements 0.56895
published_at 2026-04-04T12:55:00Z
4
value 0.00342
scoring_system epss
scoring_elements 0.56871
published_at 2026-04-07T12:55:00Z
5
value 0.00342
scoring_system epss
scoring_elements 0.56922
published_at 2026-04-08T12:55:00Z
6
value 0.00342
scoring_system epss
scoring_elements 0.56926
published_at 2026-04-09T12:55:00Z
7
value 0.00342
scoring_system epss
scoring_elements 0.56935
published_at 2026-04-11T12:55:00Z
8
value 0.00342
scoring_system epss
scoring_elements 0.56914
published_at 2026-04-12T12:55:00Z
9
value 0.00342
scoring_system epss
scoring_elements 0.56891
published_at 2026-04-13T12:55:00Z
10
value 0.00342
scoring_system epss
scoring_elements 0.56921
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21370
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21370.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21370.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21370.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21370.yaml
3
reference_url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21370
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21370
5
reference_url https://packagist.org/packages/typo3/cms-backend
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/typo3/cms-backend
6
reference_url https://typo3.org/security/advisory/typo3-core-sa-2021-008
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2021-008
7
reference_url https://github.com/advisories/GHSA-x7hc-x7fm-f7qh
reference_id GHSA-x7hc-x7fm-f7qh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x7hc-x7fm-f7qh
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.40
purl pkg:composer/typo3/cms-core@8.7.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ekfd-wp8z-d7e1
1
vulnerability VCID-n15v-ta9h-6ffb
2
vulnerability VCID-s64f-x81f-b7ce
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.40
1
url pkg:composer/typo3/cms-core@9.5.25
purl pkg:composer/typo3/cms-core@9.5.25
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4jpa-6fqh-hbfg
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-5paq-5frf-43ed
3
vulnerability VCID-65ue-7jd9-23gf
4
vulnerability VCID-6a9t-8dmn-s3bv
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-axvk-13qf-tka7
7
vulnerability VCID-b6er-h7dm-3bev
8
vulnerability VCID-bajy-qbwq-fufn
9
vulnerability VCID-e32h-8q61-hbgc
10
vulnerability VCID-ekfd-wp8z-d7e1
11
vulnerability VCID-g4uc-qeb6-myed
12
vulnerability VCID-gv1b-xtv4-4yg3
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n15v-ta9h-6ffb
17
vulnerability VCID-n7ng-zkkb-2qaz
18
vulnerability VCID-nubu-f1sc-gbes
19
vulnerability VCID-remd-55jh-r3g5
20
vulnerability VCID-s55j-8hbt-akhn
21
vulnerability VCID-s64f-x81f-b7ce
22
vulnerability VCID-t1n7-eswt-73gw
23
vulnerability VCID-taj6-zj2n-5kg8
24
vulnerability VCID-ve7g-8st5-wffb
25
vulnerability VCID-vyvy-y3cw-hbgr
26
vulnerability VCID-w13x-3rp9-wyej
27
vulnerability VCID-xy6y-312d-rygj
28
vulnerability VCID-y32z-2d3f-gkgw
29
vulnerability VCID-zdq2-dhb2-6kaq
30
vulnerability VCID-zn99-ywte-33g6
31
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25
2
url pkg:composer/typo3/cms-core@10.4.14
purl pkg:composer/typo3/cms-core@10.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-6a9t-8dmn-s3bv
7
vulnerability VCID-8d2m-1ffv-jqe1
8
vulnerability VCID-8sdd-b1bn-cuhx
9
vulnerability VCID-av8u-rvzq-4fc7
10
vulnerability VCID-axvk-13qf-tka7
11
vulnerability VCID-b6er-h7dm-3bev
12
vulnerability VCID-bajy-qbwq-fufn
13
vulnerability VCID-e32h-8q61-hbgc
14
vulnerability VCID-ekfd-wp8z-d7e1
15
vulnerability VCID-g4uc-qeb6-myed
16
vulnerability VCID-gv1b-xtv4-4yg3
17
vulnerability VCID-gyyu-n3b1-zbcj
18
vulnerability VCID-h6y3-7gsq-skh2
19
vulnerability VCID-mnz3-rj21-67ad
20
vulnerability VCID-mud2-s4rc-fuf6
21
vulnerability VCID-n15v-ta9h-6ffb
22
vulnerability VCID-n7ng-zkkb-2qaz
23
vulnerability VCID-nubu-f1sc-gbes
24
vulnerability VCID-remd-55jh-r3g5
25
vulnerability VCID-s55j-8hbt-akhn
26
vulnerability VCID-s64f-x81f-b7ce
27
vulnerability VCID-t1n7-eswt-73gw
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-ve7g-8st5-wffb
30
vulnerability VCID-vwb2-a84s-5qak
31
vulnerability VCID-vyvy-y3cw-hbgr
32
vulnerability VCID-w13x-3rp9-wyej
33
vulnerability VCID-xy6y-312d-rygj
34
vulnerability VCID-y32z-2d3f-gkgw
35
vulnerability VCID-zdq2-dhb2-6kaq
36
vulnerability VCID-zn99-ywte-33g6
37
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14
3
url pkg:composer/typo3/cms-core@11.1.1
purl pkg:composer/typo3/cms-core@11.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-6a9t-8dmn-s3bv
7
vulnerability VCID-8d2m-1ffv-jqe1
8
vulnerability VCID-8sdd-b1bn-cuhx
9
vulnerability VCID-av8u-rvzq-4fc7
10
vulnerability VCID-axvk-13qf-tka7
11
vulnerability VCID-b6er-h7dm-3bev
12
vulnerability VCID-bajy-qbwq-fufn
13
vulnerability VCID-e32h-8q61-hbgc
14
vulnerability VCID-ekfd-wp8z-d7e1
15
vulnerability VCID-g4uc-qeb6-myed
16
vulnerability VCID-gv1b-xtv4-4yg3
17
vulnerability VCID-gyyu-n3b1-zbcj
18
vulnerability VCID-h6y3-7gsq-skh2
19
vulnerability VCID-mnz3-rj21-67ad
20
vulnerability VCID-mud2-s4rc-fuf6
21
vulnerability VCID-n15v-ta9h-6ffb
22
vulnerability VCID-n7ng-zkkb-2qaz
23
vulnerability VCID-nubu-f1sc-gbes
24
vulnerability VCID-remd-55jh-r3g5
25
vulnerability VCID-s55j-8hbt-akhn
26
vulnerability VCID-s64f-x81f-b7ce
27
vulnerability VCID-t1n7-eswt-73gw
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-uyeu-a3xr-fkh4
30
vulnerability VCID-ve7g-8st5-wffb
31
vulnerability VCID-vwb2-a84s-5qak
32
vulnerability VCID-vyvy-y3cw-hbgr
33
vulnerability VCID-w13x-3rp9-wyej
34
vulnerability VCID-xy6y-312d-rygj
35
vulnerability VCID-y32z-2d3f-gkgw
36
vulnerability VCID-zdq2-dhb2-6kaq
37
vulnerability VCID-zn99-ywte-33g6
38
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1
aliases CVE-2021-21370, GHSA-x7hc-x7fm-f7qh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t3jn-vwbx-u7cr
20
url VCID-taj6-zj2n-5kg8
vulnerability_id VCID-taj6-zj2n-5kg8
summary 
TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler
### Problem
Entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account.


### Solution
Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described.

#### ℹ️ Strong security defaults - Manual actions required

When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore.

When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`.

### Credits
Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue.

### References
* [TYPO3-CORE-SA-2024-006](https://typo3.org/security/advisory/typo3-core-sa-2024-006)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-25121
reference_id
reference_type
scores
0
value 0.003
scoring_system epss
scoring_elements 0.53262
published_at 2026-04-04T12:55:00Z
1
value 0.003
scoring_system epss
scoring_elements 0.53338
published_at 2026-04-18T12:55:00Z
2
value 0.003
scoring_system epss
scoring_elements 0.53332
published_at 2026-04-16T12:55:00Z
3
value 0.003
scoring_system epss
scoring_elements 0.53294
published_at 2026-04-13T12:55:00Z
4
value 0.003
scoring_system epss
scoring_elements 0.53311
published_at 2026-04-12T12:55:00Z
5
value 0.003
scoring_system epss
scoring_elements 0.53327
published_at 2026-04-11T12:55:00Z
6
value 0.003
scoring_system epss
scoring_elements 0.53276
published_at 2026-04-09T12:55:00Z
7
value 0.003
scoring_system epss
scoring_elements 0.53282
published_at 2026-04-08T12:55:00Z
8
value 0.003
scoring_system epss
scoring_elements 0.5323
published_at 2026-04-07T12:55:00Z
9
value 0.003
scoring_system epss
scoring_elements 0.53236
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-25121
1
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
2
reference_url https://github.com/TYPO3/typo3/commit/38f0bf9a61e10365be26eb75bc23a81184dbed07
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/38f0bf9a61e10365be26eb75bc23a81184dbed07
3
reference_url https://github.com/TYPO3/typo3/commit/71e652bf84b16fd3592205f61f36750ab03db74c
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/71e652bf84b16fd3592205f61f36750ab03db74c
4
reference_url https://github.com/TYPO3/typo3/commit/b47b6ddf5a5f3f852c6e43f837360780c12e3c47
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/b47b6ddf5a5f3f852c6e43f837360780c12e3c47
5
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-rj3x-wvc6-5j66
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:07:53Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-rj3x-wvc6-5j66
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25121
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25121
7
reference_url https://typo3.org/security/advisory/typo3-core-sa-2024-006
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:07:53Z/
url https://typo3.org/security/advisory/typo3-core-sa-2024-006
8
reference_url https://github.com/advisories/GHSA-rj3x-wvc6-5j66
reference_id GHSA-rj3x-wvc6-5j66
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rj3x-wvc6-5j66
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.57
purl pkg:composer/typo3/cms-core@8.7.57
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.57
1
url pkg:composer/typo3/cms-core@9.5.46
purl pkg:composer/typo3/cms-core@9.5.46
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.46
2
url pkg:composer/typo3/cms-core@10.4.43
purl pkg:composer/typo3/cms-core@10.4.43
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.43
3
url pkg:composer/typo3/cms-core@11.5.35
purl pkg:composer/typo3/cms-core@11.5.35
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-mud2-s4rc-fuf6
6
vulnerability VCID-nubu-f1sc-gbes
7
vulnerability VCID-xy6y-312d-rygj
8
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.35
4
url pkg:composer/typo3/cms-core@12.4.11
purl pkg:composer/typo3/cms-core@12.4.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-jxw7-skw6-q7bg
6
vulnerability VCID-mud2-s4rc-fuf6
7
vulnerability VCID-nubu-f1sc-gbes
8
vulnerability VCID-xy6y-312d-rygj
9
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11
5
url pkg:composer/typo3/cms-core@13.0.1
purl pkg:composer/typo3/cms-core@13.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-gyyu-n3b1-zbcj
5
vulnerability VCID-jxw7-skw6-q7bg
6
vulnerability VCID-mud2-s4rc-fuf6
7
vulnerability VCID-nubu-f1sc-gbes
8
vulnerability VCID-xy6y-312d-rygj
9
vulnerability VCID-yxy9-ngwb-6qdm
10
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1
aliases CVE-2024-25121, GHSA-rj3x-wvc6-5j66
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-taj6-zj2n-5kg8
21
url VCID-vyvy-y3cw-hbgr
vulnerability_id VCID-vyvy-y3cw-hbgr
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) is vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php is vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-24814
reference_id
reference_type
scores
0
value 0.00867
scoring_system epss
scoring_elements 0.75119
published_at 2026-04-07T12:55:00Z
1
value 0.00867
scoring_system epss
scoring_elements 0.75197
published_at 2026-04-18T12:55:00Z
2
value 0.00867
scoring_system epss
scoring_elements 0.7519
published_at 2026-04-16T12:55:00Z
3
value 0.00867
scoring_system epss
scoring_elements 0.75187
published_at 2026-04-11T12:55:00Z
4
value 0.00867
scoring_system epss
scoring_elements 0.75165
published_at 2026-04-12T12:55:00Z
5
value 0.00867
scoring_system epss
scoring_elements 0.75153
published_at 2026-04-13T12:55:00Z
6
value 0.01074
scoring_system epss
scoring_elements 0.77713
published_at 2026-04-02T12:55:00Z
7
value 0.01074
scoring_system epss
scoring_elements 0.7774
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-24814
1
reference_url https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/
url https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix
2
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
3
reference_url https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/
url https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484
4
reference_url https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/
url https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549
5
reference_url https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/
url https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a
6
reference_url https://typo3.org/security/advisory/typo3-core-sa-2023-001
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/
url https://typo3.org/security/advisory/typo3-core-sa-2023-001
7
reference_url https://typo3.org/security/advisory/typo3-psa-2023-001
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/
url https://typo3.org/security/advisory/typo3-psa-2023-001
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-24814
reference_id CVE-2023-24814
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-24814
9
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2023-24814.yaml
reference_id CVE-2023-24814.YAML
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2023-24814.yaml
10
reference_url https://github.com/advisories/GHSA-r4f8-f93x-5qh3
reference_id GHSA-r4f8-f93x-5qh3
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r4f8-f93x-5qh3
11
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3
reference_id GHSA-r4f8-f93x-5qh3
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.51
purl pkg:composer/typo3/cms-core@8.7.51
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.51
1
url pkg:composer/typo3/cms-core@9.5.40
purl pkg:composer/typo3/cms-core@9.5.40
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.40
2
url pkg:composer/typo3/cms-core@10.4.36
purl pkg:composer/typo3/cms-core@10.4.36
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-h6y3-7gsq-skh2
9
vulnerability VCID-mud2-s4rc-fuf6
10
vulnerability VCID-n7ng-zkkb-2qaz
11
vulnerability VCID-nubu-f1sc-gbes
12
vulnerability VCID-taj6-zj2n-5kg8
13
vulnerability VCID-xy6y-312d-rygj
14
vulnerability VCID-zn99-ywte-33g6
15
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.36
3
url pkg:composer/typo3/cms-core@11.5.23
purl pkg:composer/typo3/cms-core@11.5.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-h6y3-7gsq-skh2
9
vulnerability VCID-mud2-s4rc-fuf6
10
vulnerability VCID-n7ng-zkkb-2qaz
11
vulnerability VCID-nubu-f1sc-gbes
12
vulnerability VCID-taj6-zj2n-5kg8
13
vulnerability VCID-xy6y-312d-rygj
14
vulnerability VCID-zn99-ywte-33g6
15
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.23
4
url pkg:composer/typo3/cms-core@12.2.0
purl pkg:composer/typo3/cms-core@12.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-h6y3-7gsq-skh2
9
vulnerability VCID-jxw7-skw6-q7bg
10
vulnerability VCID-mud2-s4rc-fuf6
11
vulnerability VCID-n7ng-zkkb-2qaz
12
vulnerability VCID-nubu-f1sc-gbes
13
vulnerability VCID-taj6-zj2n-5kg8
14
vulnerability VCID-xy6y-312d-rygj
15
vulnerability VCID-zn99-ywte-33g6
16
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.2.0
aliases CVE-2023-24814, GHSA-r4f8-f93x-5qh3
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vyvy-y3cw-hbgr
22
url VCID-xh7y-56vy-5ud8
vulnerability_id VCID-xh7y-56vy-5ud8
summary 
Unrestricted File Upload in Form Framework
### Problem
Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_.

TYPO3 Extbase extensions, which implement a file upload and do not implement a custom _TypeConverter_ to transform uploaded files into _FileReference_ domain model objects are affected by the vulnerability as well, since the _UploadedFileReferenceConverter_ of _ext:form_ handles the file upload and will accept files of any mime-type which are persisted to the default location.

In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information.

No authentication is required to exploit this vulnerability.

### Solution
Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.

Type converter _UploadedFileReferenceConverter_ is not registered globally anymore and just handles uploaded files within the scope of the Form Framework. Guessable storage location has changed from _/fileadmin/user_upload/form\_\<random-hash\>/_ to _/fileadmin/form_uploads/<random-40-bit>_. Allowed mime-types must match expected file extensions (e.g. _application/pdf_ must be _.pdf_, and cannot be _.html_).

Extbase extensions, who rely on the global availability of the _UploadedFileReferenceConverter_ must now implement a custom _TypeConverter_ to handle file uploads or explicitly implement the ext:form _UploadedFileReferenceConverter_ with appropriate setting for accepted mime-types.

### Credits
Thanks to Sebastian Michaelsen, Marc Lindemann, Oliver Eglseder, Markus Volkmer, Jakob Kunzmann, Johannes Regner, Richie Lee who reported this issue, and to TYPO3 core & security team members Oliver Hader & Benni Mack, as well as TYPO3 contributor Ralf Zimmermann who fixed the issue.

### References
* [TYPO3-CORE-SA-2021-002](https://typo3.org/security/advisory/typo3-core-sa-2021-002)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21355
reference_id
reference_type
scores
0
value 0.00416
scoring_system epss
scoring_elements 0.61782
published_at 2026-04-18T12:55:00Z
1
value 0.00416
scoring_system epss
scoring_elements 0.61606
published_at 2026-04-01T12:55:00Z
2
value 0.00416
scoring_system epss
scoring_elements 0.6168
published_at 2026-04-02T12:55:00Z
3
value 0.00416
scoring_system epss
scoring_elements 0.6171
published_at 2026-04-04T12:55:00Z
4
value 0.00416
scoring_system epss
scoring_elements 0.61682
published_at 2026-04-07T12:55:00Z
5
value 0.00416
scoring_system epss
scoring_elements 0.6173
published_at 2026-04-08T12:55:00Z
6
value 0.00416
scoring_system epss
scoring_elements 0.61746
published_at 2026-04-09T12:55:00Z
7
value 0.00416
scoring_system epss
scoring_elements 0.61767
published_at 2026-04-11T12:55:00Z
8
value 0.00416
scoring_system epss
scoring_elements 0.61755
published_at 2026-04-12T12:55:00Z
9
value 0.00416
scoring_system epss
scoring_elements 0.61736
published_at 2026-04-13T12:55:00Z
10
value 0.00416
scoring_system epss
scoring_elements 0.61777
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21355
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21355.yaml
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21355.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21355.yaml
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21355.yaml
3
reference_url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21355
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21355
5
reference_url https://packagist.org/packages/typo3/cms-form
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/typo3/cms-form
6
reference_url https://typo3.org/security/advisory/typo3-core-sa-2021-002
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2021-002
7
reference_url https://github.com/advisories/GHSA-2r6j-862c-m2v2
reference_id GHSA-2r6j-862c-m2v2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2r6j-862c-m2v2
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.40
purl pkg:composer/typo3/cms-core@8.7.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ekfd-wp8z-d7e1
1
vulnerability VCID-n15v-ta9h-6ffb
2
vulnerability VCID-s64f-x81f-b7ce
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.40
1
url pkg:composer/typo3/cms-core@9.5.25
purl pkg:composer/typo3/cms-core@9.5.25
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4jpa-6fqh-hbfg
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-5paq-5frf-43ed
3
vulnerability VCID-65ue-7jd9-23gf
4
vulnerability VCID-6a9t-8dmn-s3bv
5
vulnerability VCID-8d2m-1ffv-jqe1
6
vulnerability VCID-axvk-13qf-tka7
7
vulnerability VCID-b6er-h7dm-3bev
8
vulnerability VCID-bajy-qbwq-fufn
9
vulnerability VCID-e32h-8q61-hbgc
10
vulnerability VCID-ekfd-wp8z-d7e1
11
vulnerability VCID-g4uc-qeb6-myed
12
vulnerability VCID-gv1b-xtv4-4yg3
13
vulnerability VCID-h6y3-7gsq-skh2
14
vulnerability VCID-mnz3-rj21-67ad
15
vulnerability VCID-mud2-s4rc-fuf6
16
vulnerability VCID-n15v-ta9h-6ffb
17
vulnerability VCID-n7ng-zkkb-2qaz
18
vulnerability VCID-nubu-f1sc-gbes
19
vulnerability VCID-remd-55jh-r3g5
20
vulnerability VCID-s55j-8hbt-akhn
21
vulnerability VCID-s64f-x81f-b7ce
22
vulnerability VCID-t1n7-eswt-73gw
23
vulnerability VCID-taj6-zj2n-5kg8
24
vulnerability VCID-ve7g-8st5-wffb
25
vulnerability VCID-vyvy-y3cw-hbgr
26
vulnerability VCID-w13x-3rp9-wyej
27
vulnerability VCID-xy6y-312d-rygj
28
vulnerability VCID-y32z-2d3f-gkgw
29
vulnerability VCID-zdq2-dhb2-6kaq
30
vulnerability VCID-zn99-ywte-33g6
31
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25
2
url pkg:composer/typo3/cms-core@10.4.14
purl pkg:composer/typo3/cms-core@10.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-6a9t-8dmn-s3bv
7
vulnerability VCID-8d2m-1ffv-jqe1
8
vulnerability VCID-8sdd-b1bn-cuhx
9
vulnerability VCID-av8u-rvzq-4fc7
10
vulnerability VCID-axvk-13qf-tka7
11
vulnerability VCID-b6er-h7dm-3bev
12
vulnerability VCID-bajy-qbwq-fufn
13
vulnerability VCID-e32h-8q61-hbgc
14
vulnerability VCID-ekfd-wp8z-d7e1
15
vulnerability VCID-g4uc-qeb6-myed
16
vulnerability VCID-gv1b-xtv4-4yg3
17
vulnerability VCID-gyyu-n3b1-zbcj
18
vulnerability VCID-h6y3-7gsq-skh2
19
vulnerability VCID-mnz3-rj21-67ad
20
vulnerability VCID-mud2-s4rc-fuf6
21
vulnerability VCID-n15v-ta9h-6ffb
22
vulnerability VCID-n7ng-zkkb-2qaz
23
vulnerability VCID-nubu-f1sc-gbes
24
vulnerability VCID-remd-55jh-r3g5
25
vulnerability VCID-s55j-8hbt-akhn
26
vulnerability VCID-s64f-x81f-b7ce
27
vulnerability VCID-t1n7-eswt-73gw
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-ve7g-8st5-wffb
30
vulnerability VCID-vwb2-a84s-5qak
31
vulnerability VCID-vyvy-y3cw-hbgr
32
vulnerability VCID-w13x-3rp9-wyej
33
vulnerability VCID-xy6y-312d-rygj
34
vulnerability VCID-y32z-2d3f-gkgw
35
vulnerability VCID-zdq2-dhb2-6kaq
36
vulnerability VCID-zn99-ywte-33g6
37
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14
3
url pkg:composer/typo3/cms-core@11.1.1
purl pkg:composer/typo3/cms-core@11.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-6a9t-8dmn-s3bv
7
vulnerability VCID-8d2m-1ffv-jqe1
8
vulnerability VCID-8sdd-b1bn-cuhx
9
vulnerability VCID-av8u-rvzq-4fc7
10
vulnerability VCID-axvk-13qf-tka7
11
vulnerability VCID-b6er-h7dm-3bev
12
vulnerability VCID-bajy-qbwq-fufn
13
vulnerability VCID-e32h-8q61-hbgc
14
vulnerability VCID-ekfd-wp8z-d7e1
15
vulnerability VCID-g4uc-qeb6-myed
16
vulnerability VCID-gv1b-xtv4-4yg3
17
vulnerability VCID-gyyu-n3b1-zbcj
18
vulnerability VCID-h6y3-7gsq-skh2
19
vulnerability VCID-mnz3-rj21-67ad
20
vulnerability VCID-mud2-s4rc-fuf6
21
vulnerability VCID-n15v-ta9h-6ffb
22
vulnerability VCID-n7ng-zkkb-2qaz
23
vulnerability VCID-nubu-f1sc-gbes
24
vulnerability VCID-remd-55jh-r3g5
25
vulnerability VCID-s55j-8hbt-akhn
26
vulnerability VCID-s64f-x81f-b7ce
27
vulnerability VCID-t1n7-eswt-73gw
28
vulnerability VCID-taj6-zj2n-5kg8
29
vulnerability VCID-uyeu-a3xr-fkh4
30
vulnerability VCID-ve7g-8st5-wffb
31
vulnerability VCID-vwb2-a84s-5qak
32
vulnerability VCID-vyvy-y3cw-hbgr
33
vulnerability VCID-w13x-3rp9-wyej
34
vulnerability VCID-xy6y-312d-rygj
35
vulnerability VCID-y32z-2d3f-gkgw
36
vulnerability VCID-zdq2-dhb2-6kaq
37
vulnerability VCID-zn99-ywte-33g6
38
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1
aliases CVE-2021-21355, GHSA-2r6j-862c-m2v2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xh7y-56vy-5ud8
23
url VCID-y32z-2d3f-gkgw
vulnerability_id VCID-y32z-2d3f-gkgw
summary 
Cross-site Scripting
TYPO3 is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32768
reference_id
reference_type
scores
0
value 0.00284
scoring_system epss
scoring_elements 0.51812
published_at 2026-04-08T12:55:00Z
1
value 0.00284
scoring_system epss
scoring_elements 0.51874
published_at 2026-04-18T12:55:00Z
2
value 0.00284
scoring_system epss
scoring_elements 0.51867
published_at 2026-04-16T12:55:00Z
3
value 0.00284
scoring_system epss
scoring_elements 0.51825
published_at 2026-04-13T12:55:00Z
4
value 0.00284
scoring_system epss
scoring_elements 0.5184
published_at 2026-04-12T12:55:00Z
5
value 0.00284
scoring_system epss
scoring_elements 0.5186
published_at 2026-04-11T12:55:00Z
6
value 0.00284
scoring_system epss
scoring_elements 0.51771
published_at 2026-04-02T12:55:00Z
7
value 0.00284
scoring_system epss
scoring_elements 0.51797
published_at 2026-04-04T12:55:00Z
8
value 0.00284
scoring_system epss
scoring_elements 0.51757
published_at 2026-04-07T12:55:00Z
9
value 0.00284
scoring_system epss
scoring_elements 0.51722
published_at 2026-04-01T12:55:00Z
10
value 0.00284
scoring_system epss
scoring_elements 0.51809
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32768
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32768.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32768.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32768.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32768.yaml
3
reference_url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-c5c9-8c6m-727v
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-c5c9-8c6m-727v
4
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-c5c9-8c6m-727v
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/security/advisories/GHSA-c5c9-8c6m-727v
5
reference_url https://typo3.org/security/advisory/typo3-core-sa-2021-013
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2021-013
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32768
reference_id CVE-2021-32768
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-32768
7
reference_url https://github.com/advisories/GHSA-c5c9-8c6m-727v
reference_id GHSA-c5c9-8c6m-727v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c5c9-8c6m-727v
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.42
purl pkg:composer/typo3/cms-core@8.7.42
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.42
1
url pkg:composer/typo3/cms-core@9.5.29
purl pkg:composer/typo3/cms-core@9.5.29
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4jpa-6fqh-hbfg
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-5paq-5frf-43ed
3
vulnerability VCID-65ue-7jd9-23gf
4
vulnerability VCID-8d2m-1ffv-jqe1
5
vulnerability VCID-axvk-13qf-tka7
6
vulnerability VCID-b6er-h7dm-3bev
7
vulnerability VCID-bajy-qbwq-fufn
8
vulnerability VCID-e32h-8q61-hbgc
9
vulnerability VCID-g4uc-qeb6-myed
10
vulnerability VCID-gv1b-xtv4-4yg3
11
vulnerability VCID-h6y3-7gsq-skh2
12
vulnerability VCID-mnz3-rj21-67ad
13
vulnerability VCID-mud2-s4rc-fuf6
14
vulnerability VCID-n7ng-zkkb-2qaz
15
vulnerability VCID-nubu-f1sc-gbes
16
vulnerability VCID-remd-55jh-r3g5
17
vulnerability VCID-s55j-8hbt-akhn
18
vulnerability VCID-t1n7-eswt-73gw
19
vulnerability VCID-taj6-zj2n-5kg8
20
vulnerability VCID-ve7g-8st5-wffb
21
vulnerability VCID-vyvy-y3cw-hbgr
22
vulnerability VCID-w13x-3rp9-wyej
23
vulnerability VCID-xy6y-312d-rygj
24
vulnerability VCID-zdq2-dhb2-6kaq
25
vulnerability VCID-zn99-ywte-33g6
26
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.29
2
url pkg:composer/typo3/cms-core@10.4.19
purl pkg:composer/typo3/cms-core@10.4.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-8d2m-1ffv-jqe1
7
vulnerability VCID-8sdd-b1bn-cuhx
8
vulnerability VCID-av8u-rvzq-4fc7
9
vulnerability VCID-axvk-13qf-tka7
10
vulnerability VCID-b6er-h7dm-3bev
11
vulnerability VCID-bajy-qbwq-fufn
12
vulnerability VCID-e32h-8q61-hbgc
13
vulnerability VCID-g4uc-qeb6-myed
14
vulnerability VCID-gv1b-xtv4-4yg3
15
vulnerability VCID-gyyu-n3b1-zbcj
16
vulnerability VCID-h6y3-7gsq-skh2
17
vulnerability VCID-mnz3-rj21-67ad
18
vulnerability VCID-mud2-s4rc-fuf6
19
vulnerability VCID-n7ng-zkkb-2qaz
20
vulnerability VCID-nubu-f1sc-gbes
21
vulnerability VCID-remd-55jh-r3g5
22
vulnerability VCID-s55j-8hbt-akhn
23
vulnerability VCID-t1n7-eswt-73gw
24
vulnerability VCID-taj6-zj2n-5kg8
25
vulnerability VCID-ve7g-8st5-wffb
26
vulnerability VCID-vwb2-a84s-5qak
27
vulnerability VCID-vyvy-y3cw-hbgr
28
vulnerability VCID-w13x-3rp9-wyej
29
vulnerability VCID-xy6y-312d-rygj
30
vulnerability VCID-zdq2-dhb2-6kaq
31
vulnerability VCID-zn99-ywte-33g6
32
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.19
3
url pkg:composer/typo3/cms-core@11.3.2
purl pkg:composer/typo3/cms-core@11.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-1yxw-saf5-wue7
2
vulnerability VCID-4jpa-6fqh-hbfg
3
vulnerability VCID-4t9s-p25a-cfas
4
vulnerability VCID-5paq-5frf-43ed
5
vulnerability VCID-65ue-7jd9-23gf
6
vulnerability VCID-8d2m-1ffv-jqe1
7
vulnerability VCID-8sdd-b1bn-cuhx
8
vulnerability VCID-av8u-rvzq-4fc7
9
vulnerability VCID-axvk-13qf-tka7
10
vulnerability VCID-b6er-h7dm-3bev
11
vulnerability VCID-bajy-qbwq-fufn
12
vulnerability VCID-e32h-8q61-hbgc
13
vulnerability VCID-g4uc-qeb6-myed
14
vulnerability VCID-gv1b-xtv4-4yg3
15
vulnerability VCID-gyyu-n3b1-zbcj
16
vulnerability VCID-h6y3-7gsq-skh2
17
vulnerability VCID-jjbn-6efk-nud2
18
vulnerability VCID-mnz3-rj21-67ad
19
vulnerability VCID-mud2-s4rc-fuf6
20
vulnerability VCID-n7ng-zkkb-2qaz
21
vulnerability VCID-nubu-f1sc-gbes
22
vulnerability VCID-remd-55jh-r3g5
23
vulnerability VCID-s55j-8hbt-akhn
24
vulnerability VCID-t1n7-eswt-73gw
25
vulnerability VCID-taj6-zj2n-5kg8
26
vulnerability VCID-uyeu-a3xr-fkh4
27
vulnerability VCID-ve7g-8st5-wffb
28
vulnerability VCID-vwb2-a84s-5qak
29
vulnerability VCID-vyvy-y3cw-hbgr
30
vulnerability VCID-w13x-3rp9-wyej
31
vulnerability VCID-xy6y-312d-rygj
32
vulnerability VCID-zdq2-dhb2-6kaq
33
vulnerability VCID-zn99-ywte-33g6
34
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.3.2
aliases CVE-2021-32768, GHSA-c5c9-8c6m-727v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y32z-2d3f-gkgw
24
url VCID-zdq2-dhb2-6kaq
vulnerability_id VCID-zdq2-dhb2-6kaq
summary 
TYPO3 CMS vulnerable to Weak Authentication in Frontend Login
### Problem
Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary.

### Solution
Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

### References
* [TYPO3-CORE-SA-2022-013](https://typo3.org/security/advisory/typo3-core-sa-2022-013)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23501
reference_id
reference_type
scores
0
value 0.00229
scoring_system epss
scoring_elements 0.45749
published_at 2026-04-08T12:55:00Z
1
value 0.00229
scoring_system epss
scoring_elements 0.4579
published_at 2026-04-18T12:55:00Z
2
value 0.00229
scoring_system epss
scoring_elements 0.45795
published_at 2026-04-16T12:55:00Z
3
value 0.00229
scoring_system epss
scoring_elements 0.45746
published_at 2026-04-13T12:55:00Z
4
value 0.00229
scoring_system epss
scoring_elements 0.45738
published_at 2026-04-12T12:55:00Z
5
value 0.00229
scoring_system epss
scoring_elements 0.45768
published_at 2026-04-11T12:55:00Z
6
value 0.00229
scoring_system epss
scoring_elements 0.45745
published_at 2026-04-09T12:55:00Z
7
value 0.00229
scoring_system epss
scoring_elements 0.45724
published_at 2026-04-02T12:55:00Z
8
value 0.00229
scoring_system epss
scoring_elements 0.45744
published_at 2026-04-04T12:55:00Z
9
value 0.00229
scoring_system epss
scoring_elements 0.45693
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23501
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23501.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23501.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23501.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23501.yaml
3
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
4
reference_url https://github.com/TYPO3/typo3/commit/28be9cdb3fed02ce4cfc6fa2d39f7d8e2266eced
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/28be9cdb3fed02ce4cfc6fa2d39f7d8e2266eced
5
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-jfp7-79g7-89rf
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T18:48:00Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-jfp7-79g7-89rf
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23501
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23501
7
reference_url https://typo3.org/security/advisory/typo3-core-sa-2022-013
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2022-013
8
reference_url https://github.com/advisories/GHSA-jfp7-79g7-89rf
reference_id GHSA-jfp7-79g7-89rf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jfp7-79g7-89rf
fixed_packages
0
url pkg:composer/typo3/cms-core@8.7.49
purl pkg:composer/typo3/cms-core@8.7.49
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.49
1
url pkg:composer/typo3/cms-core@9.5.38
purl pkg:composer/typo3/cms-core@9.5.38
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.38
2
url pkg:composer/typo3/cms-core@10.4.33
purl pkg:composer/typo3/cms-core@10.4.33
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-h6y3-7gsq-skh2
9
vulnerability VCID-mud2-s4rc-fuf6
10
vulnerability VCID-n7ng-zkkb-2qaz
11
vulnerability VCID-nubu-f1sc-gbes
12
vulnerability VCID-taj6-zj2n-5kg8
13
vulnerability VCID-vyvy-y3cw-hbgr
14
vulnerability VCID-xy6y-312d-rygj
15
vulnerability VCID-zn99-ywte-33g6
16
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.33
3
url pkg:composer/typo3/cms-core@11.5.20
purl pkg:composer/typo3/cms-core@11.5.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-h6y3-7gsq-skh2
9
vulnerability VCID-mud2-s4rc-fuf6
10
vulnerability VCID-n7ng-zkkb-2qaz
11
vulnerability VCID-nubu-f1sc-gbes
12
vulnerability VCID-taj6-zj2n-5kg8
13
vulnerability VCID-vyvy-y3cw-hbgr
14
vulnerability VCID-xy6y-312d-rygj
15
vulnerability VCID-zn99-ywte-33g6
16
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.20
4
url pkg:composer/typo3/cms-core@12.1.1
purl pkg:composer/typo3/cms-core@12.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1r9g-c5rn-ukgb
1
vulnerability VCID-4t9s-p25a-cfas
2
vulnerability VCID-65ue-7jd9-23gf
3
vulnerability VCID-8d2m-1ffv-jqe1
4
vulnerability VCID-axvk-13qf-tka7
5
vulnerability VCID-g4uc-qeb6-myed
6
vulnerability VCID-gv1b-xtv4-4yg3
7
vulnerability VCID-gyyu-n3b1-zbcj
8
vulnerability VCID-h6y3-7gsq-skh2
9
vulnerability VCID-jxw7-skw6-q7bg
10
vulnerability VCID-mud2-s4rc-fuf6
11
vulnerability VCID-n7ng-zkkb-2qaz
12
vulnerability VCID-nubu-f1sc-gbes
13
vulnerability VCID-taj6-zj2n-5kg8
14
vulnerability VCID-vyvy-y3cw-hbgr
15
vulnerability VCID-xy6y-312d-rygj
16
vulnerability VCID-zn99-ywte-33g6
17
vulnerability VCID-zwgt-rm1f-6bf2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.1.1
aliases CVE-2022-23501, GHSA-jfp7-79g7-89rf, GMS-2022-8134
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zdq2-dhb2-6kaq
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.31