Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/typo3/cms@8.7.23

Type composer

Namespace typo3

Name cms

Version 8.7.23

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 8.7.27

Latest_non_vulnerable_version 12.2.0

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-7ch1-q9f4-a7bt

vulnerability_id VCID-7ch1-q9f4-a7bt

summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
In Bootstrap, XSS is possible in the data-target property of scrollspy.

references

reference_url

http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

reference_url

http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html

reference_url

https://access.redhat.com/errata/RHSA-2019:1456

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/errata/RHSA-2019:1456

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-14041.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-14041.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-14041

reference_id

reference_type

scores

value	0.07723
scoring_system	epss
scoring_elements	0.92076
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-14041

reference_url

https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2

reference_url

http://seclists.org/fulldisclosure/2019/May/10

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://seclists.org/fulldisclosure/2019/May/10

reference_url

http://seclists.org/fulldisclosure/2019/May/11

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://seclists.org/fulldisclosure/2019/May/11

reference_url

http://seclists.org/fulldisclosure/2019/May/13

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://seclists.org/fulldisclosure/2019/May/13

reference_url

https://github.com/twbs/bootstrap

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/twbs/bootstrap

reference_url

https://github.com/twbs/bootstrap/issues/26423

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/twbs/bootstrap/issues/26423

reference_url

https://github.com/twbs/bootstrap/issues/26627

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/twbs/bootstrap/issues/26627

reference_url

https://github.com/twbs/bootstrap/pull/26630

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/twbs/bootstrap/pull/26630

reference_url

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E

reference_url

https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@%3Cdev.superset.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@%3Cdev.superset.apache.org%3E

reference_url

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E

reference_url

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E

reference_url

https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714@%3Cissues.hbase.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714@%3Cissues.hbase.apache.org%3E

reference_url

https://seclists.org/bugtraq/2019/May/18

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://seclists.org/bugtraq/2019/May/18

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2019-006

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2019-006

reference_url

https://www.oracle.com/security-alerts/cpuApr2021.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuApr2021.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1601616
reference_id	1601616
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1601616

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-14041

reference_id

CVE-2018-14041

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-14041

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2018-14041.yaml

reference_id

CVE-2018-14041.YAML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2018-14041.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2018-14041.yaml

reference_id

CVE-2018-14041.YAML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2018-14041.yaml

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2018-14041.yml

reference_id

CVE-2018-14041.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2018-14041.yml

reference_url	https://github.com/advisories/GHSA-pj7m-g53m-7638
reference_id	GHSA-pj7m-g53m-7638
reference_type
scores
url	https://github.com/advisories/GHSA-pj7m-g53m-7638

reference_url	https://access.redhat.com/errata/RHSA-2023:0552
reference_id	RHSA-2023:0552
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0552

reference_url	https://access.redhat.com/errata/RHSA-2023:0553
reference_id	RHSA-2023:0553
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0553

reference_url	https://access.redhat.com/errata/RHSA-2023:0554
reference_id	RHSA-2023:0554
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0554

reference_url	https://access.redhat.com/errata/RHSA-2023:0556
reference_id	RHSA-2023:0556
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0556

reference_url	https://access.redhat.com/errata/RHSA-2023:5693
reference_id	RHSA-2023:5693
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5693

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases CVE-2018-14041, GHSA-pj7m-g53m-7638

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7ch1-q9f4-a7bt

url VCID-9yu1-z7c2-t3fj

vulnerability_id VCID-9yu1-z7c2-t3fj

summary

TYPO3 Cross-Site Scripting in Form Framework
Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.

references

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-6.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-6.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/79528f75e23c2832db321f36d777c1427553f764

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/79528f75e23c2832db321f36d777c1427553f764

reference_url

https://github.com/TYPO3/typo3/commit/a0c4348188559596f292ea03983171bde29d9870

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/a0c4348188559596f292ea03983171bde29d9870

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2019-007

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2019-007

reference_url	https://github.com/advisories/GHSA-4h5c-5g25-v7fh
reference_id	GHSA-4h5c-5g25-v7fh
reference_type
scores
url	https://github.com/advisories/GHSA-4h5c-5g25-v7fh

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GHSA-4h5c-5g25-v7fh

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9yu1-z7c2-t3fj

url VCID-am6s-67bm-77dr

vulnerability_id VCID-am6s-67bm-77dr

summary

Cross-site Scripting
Cross-Site Scripting in Bootstrap CSS toolkit.

references

reference_url	https://typo3.org/security/advisory/typo3-core-sa-2019-006/
reference_id
reference_type
scores
url	https://typo3.org/security/advisory/typo3-core-sa-2019-006/

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GMS-2019-176

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-am6s-67bm-77dr

url VCID-bn3p-39sv-6fdg

vulnerability_id VCID-bn3p-39sv-6fdg

summary

Improper Access Control
Broken Access Control in Localization Handling.

references

reference_url	https://typo3.org/security/advisory/typo3-core-sa-2019-003/
reference_id
reference_type
scores
url	https://typo3.org/security/advisory/typo3-core-sa-2019-003/

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

aliases GMS-2019-174

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bn3p-39sv-6fdg

url VCID-buj5-2t53-3kcr

vulnerability_id VCID-buj5-2t53-3kcr

summary

TYPO3 Information Disclosure of Installed Extensions
It has been discovered that mechanisms used for configuration of RequireJS package loading are susceptible to information disclosure. This way a potential attack can retrieve additional information about installed system and third party extensions.

references

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-1.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-1.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/889ed77d2905d8b17afd31c723a23240c978823f

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/889ed77d2905d8b17afd31c723a23240c978823f

reference_url

https://github.com/TYPO3/typo3/commit/c81cca9e419e7aaed551b9b9a8d012ba7bffb287

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/c81cca9e419e7aaed551b9b9a8d012ba7bffb287

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2019-001

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2019-001

reference_url	https://github.com/advisories/GHSA-f624-8hfq-5fh3
reference_id	GHSA-f624-8hfq-5fh3
reference_type
scores
url	https://github.com/advisories/GHSA-f624-8hfq-5fh3

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GHSA-f624-8hfq-5fh3

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-buj5-2t53-3kcr

url VCID-khpm-e1xb-hydb

vulnerability_id VCID-khpm-e1xb-hydb

summary Information Disclosure of Installed Extensions.

references

reference_url	https://typo3.org/security/advisory/typo3-core-sa-2019-001/
reference_id
reference_type
scores
url	https://typo3.org/security/advisory/typo3-core-sa-2019-001/

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GMS-2019-172

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-khpm-e1xb-hydb

url VCID-pmvp-twk2-jqe4

vulnerability_id VCID-pmvp-twk2-jqe4

summary Security Misconfiguration for Backend User Accounts.

references

reference_url	https://typo3.org/security/advisory/typo3-core-sa-2019-002/
reference_id
reference_type
scores
url	https://typo3.org/security/advisory/typo3-core-sa-2019-002/

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GMS-2019-173

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pmvp-twk2-jqe4

url VCID-u259-2sxq-tbct

vulnerability_id VCID-u259-2sxq-tbct

summary

Cross-site Scripting
Cross-Site Scripting in Fluid `ViewHelpers`.

references

reference_url	https://typo3.org/security/advisory/typo3-core-sa-2019-005/
reference_id
reference_type
scores
url	https://typo3.org/security/advisory/typo3-core-sa-2019-005/

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GMS-2019-175

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u259-2sxq-tbct

url VCID-u6as-cwxc-pkhk

vulnerability_id VCID-u6as-cwxc-pkhk

summary

TYPO3 Security Misconfiguration for Backend User Accounts
When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following:

- account contains empty login credentials (username and/or password)
- account is incomplete and contains weak credentials (username and/or password)

Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.

This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.

references

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-2.yaml

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-2.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/b3608d14e1915030cde272000a247cb6d5f982b8

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/b3608d14e1915030cde272000a247cb6d5f982b8

reference_url

https://github.com/TYPO3/typo3/commit/e4d0cff40a4f8f597e52c20fff529e206bb62703

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/e4d0cff40a4f8f597e52c20fff529e206bb62703

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2019-002

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2019-002

reference_url	https://github.com/advisories/GHSA-c5mj-39cf-3pp5
reference_id	GHSA-c5mj-39cf-3pp5
reference_type
scores
url	https://github.com/advisories/GHSA-c5mj-39cf-3pp5

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GHSA-c5mj-39cf-3pp5

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u6as-cwxc-pkhk

url VCID-vw2r-g8yy-eyf4

vulnerability_id VCID-vw2r-g8yy-eyf4

summary

Code Injection
Arbitrary Code Execution via File List Module.

references

reference_url	https://typo3.org/security/advisory/typo3-core-sa-2019-008/
reference_id
reference_type
scores
url	https://typo3.org/security/advisory/typo3-core-sa-2019-008/

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GMS-2019-178

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vw2r-g8yy-eyf4

url VCID-w483-prq4-rycx

vulnerability_id VCID-w483-prq4-rycx

summary

TYPO3 Broken Access Control in Localization Handling
It has been discovered that backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.

references

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-3.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-3.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/5004201ee77a69cb825637bc95cdeedb1186f4d4

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/5004201ee77a69cb825637bc95cdeedb1186f4d4

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2019-003

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2019-003

reference_url	https://github.com/advisories/GHSA-772m-43f3-hmf8
reference_id	GHSA-772m-43f3-hmf8
reference_type
scores
url	https://github.com/advisories/GHSA-772m-43f3-hmf8

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

aliases GHSA-772m-43f3-hmf8

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w483-prq4-rycx

url VCID-yh6b-tc4u-v3bk

vulnerability_id VCID-yh6b-tc4u-v3bk

summary

TYPO3 Arbitrary Code Execution via File List Module
Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability.

Derivatives of Debian GNU Linux are handling *.phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages).

The file extension *.shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension *.pl and *.cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location).

references

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-7.yaml

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-7.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/095ae4ab6869d0f7dc7befedb851cdd7ad0c7ebf

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/095ae4ab6869d0f7dc7befedb851cdd7ad0c7ebf

reference_url

https://github.com/TYPO3/typo3/commit/9990278ce7cf8e4d6b8bf31edec6787722d38b0f

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/9990278ce7cf8e4d6b8bf31edec6787722d38b0f

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2019-008

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2019-008

reference_url	https://github.com/advisories/GHSA-8h4m-r4wm-xj7r
reference_id	GHSA-8h4m-r4wm-xj7r
reference_type
scores
url	https://github.com/advisories/GHSA-8h4m-r4wm-xj7r

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GHSA-8h4m-r4wm-xj7r

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yh6b-tc4u-v3bk

url VCID-zgfw-pk39-gyg8

vulnerability_id VCID-zgfw-pk39-gyg8

summary

TYPO3 Cross-Site Scripting in Fluid ViewHelpers
Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting.

references

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-4.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-4.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/732c4acfaeaa7fd193674cd4d1ca7e369e21b96f

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/732c4acfaeaa7fd193674cd4d1ca7e369e21b96f

reference_url

https://github.com/TYPO3/typo3/commit/c94f566514eaff62dd836541c99b438ac55f6842

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/c94f566514eaff62dd836541c99b438ac55f6842

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2019-005

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2019-005

reference_url	https://github.com/advisories/GHSA-85ch-44w7-rf32
reference_id	GHSA-85ch-44w7-rf32
reference_type
scores
url	https://github.com/advisories/GHSA-85ch-44w7-rf32

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GHSA-85ch-44w7-rf32

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zgfw-pk39-gyg8

url VCID-zmwv-gwq3-fkej

vulnerability_id VCID-zmwv-gwq3-fkej

summary

Cross-site Scripting
Cross-Site Scripting in Form Framework.

references

reference_url	https://typo3.org/security/advisory/typo3-core-sa-2019-007/
reference_id
reference_type
scores
url	https://typo3.org/security/advisory/typo3-core-sa-2019-007/

fixed_packages

url	pkg:composer/typo3/cms@8.7.23
purl	pkg:composer/typo3/cms@8.7.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

url	pkg:composer/typo3/cms@9.5.4
purl	pkg:composer/typo3/cms@9.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.4

aliases GMS-2019-177

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zmwv-gwq3-fkej

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.23

Package Instance