Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/77263?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/77263?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.12", "type": "composer", "namespace": "typo3", "name": "cms-core", "version": "9.5.12", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "9.5.25", "latest_non_vulnerable_version": "14.0.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54229?format=api", "vulnerability_id": "VCID-1ffs-9vj5-27hk", "summary": "Path Traversal\nDue to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default `_fileDenyPattern_` successfully blocked files like `_.htaccess_` or `_malicious.php_`. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21357", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01121", "scoring_system": "epss", "scoring_elements": "0.78584", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21357" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21357.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21357.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21357.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21357.yaml" }, { "reference_url": "https://packagist.org/packages/typo3/cms-form", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/typo3/cms-form" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2021-003", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2021-003" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21357", "reference_id": "CVE-2021-21357", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21357" }, { "reference_url": "https://github.com/advisories/GHSA-3vg7-jw9m-pc3f", "reference_id": "GHSA-3vg7-jw9m-pc3f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3vg7-jw9m-pc3f" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3vg7-jw9m-pc3f", "reference_id": "GHSA-3vg7-jw9m-pc3f", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3vg7-jw9m-pc3f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80039?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.25", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25" }, { "url": "http://public2.vulnerablecode.io/api/packages/80040?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/80041?format=api", "purl": "pkg:composer/typo3/cms-core@11.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1" } ], "aliases": [ "CVE-2021-21357", "GHSA-3vg7-jw9m-pc3f" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1ffs-9vj5-27hk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52849?format=api", "vulnerability_id": "VCID-1sfk-z8py-ykb8", "summary": "Deserialization of Untrusted Data\nIn TYPO3 CMS, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid backend user session (authenticated).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15098", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.85213", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15098" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15098.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15098.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15098.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15098.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/commit/85d3e70dff35a99ef53f4b561114acfa9e5c47e1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/commit/85d3e70dff35a99ef53f4b561114acfa9e5c47e1" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2016-013", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2016-013" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2020-008", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-008" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5091", "reference_id": "CVE-2016-5091", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5091" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15098", "reference_id": "CVE-2020-15098", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15098" }, { "reference_url": "https://github.com/advisories/GHSA-m5vr-3m74-jwxp", "reference_id": "GHSA-m5vr-3m74-jwxp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m5vr-3m74-jwxp" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-m5vr-3m74-jwxp", "reference_id": "GHSA-m5vr-3m74-jwxp", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-m5vr-3m74-jwxp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77760?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/77761?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.6" } ], "aliases": [ "CVE-2020-15098", "GHSA-m5vr-3m74-jwxp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1sfk-z8py-ykb8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53819?format=api", "vulnerability_id": "VCID-4an7-9ph4-mkd4", "summary": "Cleartext Storage of Sensitive Information\nTYPO3 is an open source PHP based web content management system. In TYPO3 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26228", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.39002", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26228" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26228.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26228.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26228.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26228.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2020-011", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-011" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26228", "reference_id": "CVE-2020-26228", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26228" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79202?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/79195?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.10" } ], "aliases": [ "CVE-2020-26228", "GHSA-954j-f27r-cj52" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4an7-9ph4-mkd4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54218?format=api", "vulnerability_id": "VCID-6mnf-2fcw-dqgp", "summary": "Asymmetric Resource Consumption (Amplification)\nRequesting invalid or non-existing resources via HTTP, triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21359", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00589", "scoring_system": "epss", "scoring_elements": "0.69527", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21359" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p" }, { "reference_url": "https://packagist.org/packages/typo3/cms-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/typo3/cms-core" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2021-005", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2021-005" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21359", "reference_id": "CVE-2021-21359", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21359" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80039?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.25", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25" }, { "url": "http://public2.vulnerablecode.io/api/packages/80040?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/80041?format=api", "purl": "pkg:composer/typo3/cms-core@11.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1" } ], "aliases": [ "CVE-2021-21359", "GHSA-4p9g-qgx9-397p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6mnf-2fcw-dqgp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54219?format=api", "vulnerability_id": "VCID-848u-w88s-5bbe", "summary": "Unrestricted Upload of File with Dangerous Type\nDue to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default `_fileDenyPattern_` successfully blocked files like `_.htaccess_` or `_malicious.php_`. Additionally, `_UploadedFileReferenceConverter_` transforming uploaded files into proper FileReference domain model objects handles possible file uploads for other extensions as well - given those extensions use the Extbase MVC framework, make use of FileReference items in their direct or inherited domain model definitions and did not implement their own type converter. In case this scenario applies, `_UploadedFileReferenceConverter_` accepts any file mime-type and persists files in the default location. In any way, uploaded files are placed in the default location `_/fileadmin/user_upload/_`, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21355", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.62059", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21355" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21355.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21355.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21355.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21355.yaml" }, { "reference_url": "https://packagist.org/packages/typo3/cms-form", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/typo3/cms-form" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2021-002", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2021-002" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21355", "reference_id": "CVE-2021-21355", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21355" }, { "reference_url": "https://github.com/advisories/GHSA-2r6j-862c-m2v2", "reference_id": "GHSA-2r6j-862c-m2v2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2r6j-862c-m2v2" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2", "reference_id": "GHSA-2r6j-862c-m2v2", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80039?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.25", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25" }, { "url": "http://public2.vulnerablecode.io/api/packages/80040?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/80041?format=api", "purl": "pkg:composer/typo3/cms-core@11.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1" } ], "aliases": [ "CVE-2021-21355", "GHSA-2r6j-862c-m2v2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-848u-w88s-5bbe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52603?format=api", "vulnerability_id": "VCID-8w4e-d49b-nbg8", "summary": "Cross-Site Request Forgery (CSRF)\nIn TYPO3 CMS, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS). Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g., file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11069", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00398", "scoring_system": "epss", "scoring_elements": "0.60932", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11069" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11069.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11069.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11069.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11069.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-pqg8-crx9-g8m4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-pqg8-crx9-g8m4" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2020-006", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-006" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11069", "reference_id": "CVE-2020-11069", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11069" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77265?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/77266?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.2" } ], "aliases": [ "CVE-2020-11069", "GHSA-pqg8-crx9-g8m4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8w4e-d49b-nbg8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52596?format=api", "vulnerability_id": "VCID-bbh5-rss8-bfct", "summary": "Deserialization of Untrusted Data\nIt has been discovered that backend user settings (in `$BE_USER->uc`) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11067", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01181", "scoring_system": "epss", "scoring_elements": "0.79096", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11067" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11067.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11067.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11067.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11067.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2wj9-434x-9hvp", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2wj9-434x-9hvp" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2020-005", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-005" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11067", "reference_id": "CVE-2020-11067", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11067" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77265?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/77266?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.2" } ], "aliases": [ "CVE-2020-11067", "GHSA-2wj9-434x-9hvp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bbh5-rss8-bfct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52592?format=api", "vulnerability_id": "VCID-bcbd-zzet-mff6", "summary": "Cross-site Scripting\nIt has been discovered that link tags generated by the typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11065", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00206", "scoring_system": "epss", "scoring_elements": "0.42771", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11065" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11065.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11065.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11065.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11065.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4j77-gg36-9864", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4j77-gg36-9864" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2020-003", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-003" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11065", "reference_id": "CVE-2020-11065", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11065" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77265?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/77266?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.2" } ], "aliases": [ "CVE-2020-11065", "GHSA-4j77-gg36-9864" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bcbd-zzet-mff6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52602?format=api", "vulnerability_id": "VCID-e6zr-4bgg-kkh5", "summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes\nCalling `unserialize()` on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the website (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11066", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00528", "scoring_system": "epss", "scoring_elements": "0.67492", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11066" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2rxh-h6h9-qrqc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2rxh-h6h9-qrqc" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2020-004", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-004" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11066", "reference_id": "CVE-2020-11066", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11066" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77265?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/77266?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.2" } ], "aliases": [ "CVE-2020-11066", "GHSA-2rxh-h6h9-qrqc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e6zr-4bgg-kkh5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54233?format=api", "vulnerability_id": "VCID-ev4k-5k1d-2bhu", "summary": "URL Redirection to Untrusted Site (Open Redirect)\nLogin Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21338", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48774", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21338" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21338.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21338.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21338.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21338.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4jhw-2p6j-5wmp", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4jhw-2p6j-5wmp" }, { "reference_url": "https://packagist.org/packages/typo3/cms-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/typo3/cms-core" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2021-001", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2021-001" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21338", "reference_id": "CVE-2021-21338", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21338" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80039?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.25", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25" }, { "url": "http://public2.vulnerablecode.io/api/packages/80040?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/80041?format=api", "purl": "pkg:composer/typo3/cms-core@11.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1" } ], "aliases": [ "CVE-2021-21338", "GHSA-4jhw-2p6j-5wmp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ev4k-5k1d-2bhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54220?format=api", "vulnerability_id": "VCID-fqkx-v8t5-q3h6", "summary": "Cleartext Storage of Sensitive Information\nUser session identifiers are stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - for example SQL injection in any other component of the system.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21339", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00132", "scoring_system": "epss", "scoring_elements": "0.32224", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21339" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21339.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21339.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21339.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21339.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch" }, { "reference_url": "https://packagist.org/packages/typo3/cms-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/typo3/cms-core" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2021-006", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2021-006" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21339", "reference_id": "CVE-2021-21339", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21339" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80039?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.25", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25" }, { "url": "http://public2.vulnerablecode.io/api/packages/80040?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/80041?format=api", "purl": "pkg:composer/typo3/cms-core@11.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1" } ], "aliases": [ "CVE-2021-21339", "GHSA-qx3w-4864-94ch" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fqkx-v8t5-q3h6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54221?format=api", "vulnerability_id": "VCID-jp1p-rfxa-hyd9", "summary": "Cross-site Scripting\nContent elements of type `_menu_` are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21370", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.57112", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21370" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21370.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21370.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21370.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21370.yaml" }, { "reference_url": "https://packagist.org/packages/typo3/cms-backend", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/typo3/cms-backend" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2021-008", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2021-008" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21370", "reference_id": "CVE-2021-21370", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21370" }, { "reference_url": "https://github.com/advisories/GHSA-x7hc-x7fm-f7qh", "reference_id": "GHSA-x7hc-x7fm-f7qh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x7hc-x7fm-f7qh" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh", "reference_id": "GHSA-x7hc-x7fm-f7qh", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80039?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.25", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25" }, { "url": "http://public2.vulnerablecode.io/api/packages/80040?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/80041?format=api", "purl": "pkg:composer/typo3/cms-core@11.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1" } ], "aliases": [ "CVE-2021-21370", "GHSA-x7hc-x7fm-f7qh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jp1p-rfxa-hyd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52593?format=api", "vulnerability_id": "VCID-n1gz-y615-cbbk", "summary": "Cross-site Scripting\nIt has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11064", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00206", "scoring_system": "epss", "scoring_elements": "0.42771", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11064" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11064.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11064.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11064.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11064.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-43gj-mj2w-wh46", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-43gj-mj2w-wh46" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2020-002", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-002" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11064", "reference_id": "CVE-2020-11064", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11064" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77265?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/77266?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.2" } ], "aliases": [ "CVE-2020-11064", "GHSA-43gj-mj2w-wh46" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n1gz-y615-cbbk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53815?format=api", "vulnerability_id": "VCID-tgyt-axv1-c7ag", "summary": "Cross-site Scripting\nTYPO3 is an open source PHP based web content management system. In TYPO3 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 that fix the problem described.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26227", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.5838", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26227" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26227.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26227.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26227.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26227.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-vqqx-jw6p-q3rf", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-vqqx-jw6p-q3rf" }, { "reference_url": "https://packagist.org/packages/typo3/cms-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/typo3/cms-core" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2020-010", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-010" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26227", "reference_id": "CVE-2020-26227", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26227" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79202?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/79195?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.10" } ], "aliases": [ "CVE-2020-26227", "GHSA-vqqx-jw6p-q3rf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tgyt-axv1-c7ag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52851?format=api", "vulnerability_id": "VCID-zkvq-bms4-gfcv", "summary": "Improper Input Validation\nIn TYPO3 CMS, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1), it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch `typo3conf/LocalConfiguration.php`, which again contains the `encryptionKey` as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows the ability to completely retrieve, manipulate or delete database contents. This includes creating an administration user account which can be used to trigger remote code execution by injecting custom extensions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15099", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01187", "scoring_system": "epss", "scoring_elements": "0.79142", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15099" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15099.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15099.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15099.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15099.yaml" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2020-007", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-007" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15099", "reference_id": "CVE-2020-15099", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15099" }, { "reference_url": "https://github.com/advisories/GHSA-3x94-fv5h-5q2c", "reference_id": "GHSA-3x94-fv5h-5q2c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3x94-fv5h-5q2c" }, { "reference_url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3x94-fv5h-5q2c", "reference_id": "GHSA-3x94-fv5h-5q2c", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3x94-fv5h-5q2c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77760?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/77761?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.6" } ], "aliases": [ "CVE-2020-15099", "GHSA-3x94-fv5h-5q2c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zkvq-bms4-gfcv" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55133?format=api", "vulnerability_id": "VCID-4rfq-u488-sbh5", "summary": "TYPO3 Cross-Site Scripting in Link Handling\nIt has been discovered that t3:// URL handling and typolink functionality are vulnerable to cross-site scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering with typolink.", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-12-17-2.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-12-17-2.yaml" }, { "reference_url": "https://github.com/TYPO3-CMS/core", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3-CMS/core" }, { "reference_url": "https://github.com/TYPO3-CMS/core/commit/280908c9472aa5e1d9ee005327bbb9aed53f613a", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3-CMS/core/commit/280908c9472aa5e1d9ee005327bbb9aed53f613a" }, { "reference_url": "https://github.com/TYPO3-CMS/core/commit/89f5817c09a50d8d60821158d651bd618521164e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3-CMS/core/commit/89f5817c09a50d8d60821158d651bd618521164e" }, { "reference_url": "https://github.com/TYPO3-CMS/core/commit/d2823a451d65ac59dd42ec54c92903d70d29c813", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3-CMS/core/commit/d2823a451d65ac59dd42ec54c92903d70d29c813" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2019-022", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-022" }, { "reference_url": "https://github.com/advisories/GHSA-4ppr-jw47-9qm5", "reference_id": "GHSA-4ppr-jw47-9qm5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4ppr-jw47-9qm5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81682?format=api", "purl": "pkg:composer/typo3/cms-core@8.7.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/77263?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/81684?format=api", "purl": "pkg:composer/typo3/cms-core@10.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-r3az-g422-gqf9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.2.1" } ], "aliases": [ "GHSA-4ppr-jw47-9qm5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4rfq-u488-sbh5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55129?format=api", "vulnerability_id": "VCID-78ff-k66z-bkh7", "summary": "TYPO3 Cross-Site Scripting in Filelist Module\nIt has been discovered that the output table listing in the “Files” backend module is vulnerable to cross-site scripting when a file extension contains malicious sequences.\n\nAccess to the file system of the server - either directly or through synchronization - is required to exploit the vulnerability.", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-12-17-3.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-12-17-3.yaml" }, { "reference_url": "https://github.com/TYPO3-CMS/core", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3-CMS/core" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2019-023", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-023" }, { "reference_url": "https://github.com/advisories/GHSA-6xwf-7rfm-4gwc", "reference_id": "GHSA-6xwf-7rfm-4gwc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6xwf-7rfm-4gwc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81682?format=api", "purl": "pkg:composer/typo3/cms-core@8.7.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/77263?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/81684?format=api", "purl": "pkg:composer/typo3/cms-core@10.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-r3az-g422-gqf9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.2.1" } ], "aliases": [ "GHSA-6xwf-7rfm-4gwc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-78ff-k66z-bkh7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52113?format=api", "vulnerability_id": "VCID-p7gd-anw2-1qbz", "summary": "Deserialization of Untrusted Data\nIt has been discovered that the classes `QueryGenerator` and `QueryView` are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension `ext:lowlevel` (Backend Module `DB Check`) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension `ext:sys_action` installed, with a valid backend user who has limited privileges.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19849", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00746", "scoring_system": "epss", "scoring_elements": "0.7342", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19849" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2019-19849.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2019-19849.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2019-19849.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2019-19849.yaml" }, { "reference_url": "https://review.typo3.org/q/%2522Resolves:+%252389005%2522+topic:security", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://review.typo3.org/q/%2522Resolves:+%252389005%2522+topic:security" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2019-026", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-026" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2019-026/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-026/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19849", "reference_id": "CVE-2019-19849", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19849" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81682?format=api", "purl": "pkg:composer/typo3/cms-core@8.7.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/77263?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/81684?format=api", "purl": "pkg:composer/typo3/cms-core@10.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-r3az-g422-gqf9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.2.1" } ], "aliases": [ "CVE-2019-19849", "GHSA-rcgc-4xfc-564v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p7gd-anw2-1qbz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52099?format=api", "vulnerability_id": "VCID-rqrw-t2kj-mud8", "summary": "SQL Injection\nBecause escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension `ext:lowlevel` installed, and a valid backend user who has administrator privileges.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19850", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.52069", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19850" }, { "reference_url": "https://github.com/TYPO3/typo3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/typo3" }, { "reference_url": "https://review.typo3.org/q/%2522Resolves:+%252389452%2522+topic:security", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://review.typo3.org/q/%2522Resolves:+%252389452%2522+topic:security" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2019-025", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-025" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2019-025/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-025/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19850", "reference_id": "CVE-2019-19850", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19850" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81682?format=api", "purl": "pkg:composer/typo3/cms-core@8.7.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/77263?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/151639?format=api", "purl": "pkg:composer/typo3/cms-core@10.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-r3az-g422-gqf9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.2.2" } ], "aliases": [ "CVE-2019-19850", "GHSA-59pj-7mjh-4465" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rqrw-t2kj-mud8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55086?format=api", "vulnerability_id": "VCID-uhrk-ad4f-nqgh", "summary": "TYPO3 Possible Insecure Deserialization in Extbase Request Handling\nIt has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized.\n\nHowever, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized.\n\nRequirements for successfully exploiting this vulnerability (all of the following):\n\n- rendering at least one Extbase plugin in the frontend\n- encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file)", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-12-17-7.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-12-17-7.yaml" }, { "reference_url": "https://github.com/TYPO3-CMS/core", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3-CMS/core" }, { "reference_url": "https://typo3.org/security/advisory/typo3-psa-2019-011", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-psa-2019-011" }, { "reference_url": "https://github.com/advisories/GHSA-5h5v-m596-r6rf", "reference_id": "GHSA-5h5v-m596-r6rf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5h5v-m596-r6rf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81682?format=api", "purl": "pkg:composer/typo3/cms-core@8.7.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/77263?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.12" } ], "aliases": [ "GHSA-5h5v-m596-r6rf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uhrk-ad4f-nqgh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52106?format=api", "vulnerability_id": "VCID-xw1s-93bu-wuh9", "summary": "Path Traversal\nIt has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19848", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59393", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19848" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2019-19848.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2019-19848.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2019-19848.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2019-19848.yaml" }, { "reference_url": "https://review.typo3.org/q/%2522Resolves:+%252388764%2522+topic:security", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://review.typo3.org/q/%2522Resolves:+%252388764%2522+topic:security" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2019-024", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-024" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2019-024/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-024/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19848", "reference_id": "CVE-2019-19848", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19848" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81682?format=api", "purl": "pkg:composer/typo3/cms-core@8.7.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/77263?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/151639?format=api", "purl": "pkg:composer/typo3/cms-core@10.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-r3az-g422-gqf9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.2.2" } ], "aliases": [ "CVE-2019-19848", "GHSA-77p4-wfr8-977w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xw1s-93bu-wuh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55092?format=api", "vulnerability_id": "VCID-ygw1-vqxg-z3h3", "summary": "TYPO3 Cross-Site Scripting in Form Framework validation handling\nIt has been discovered that the output of field validation errors in the Form Framework is vulnerable to cross-site scripting.", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-12-17-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-12-17-1.yaml" }, { "reference_url": "https://github.com/TYPO3-CMS/core", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3-CMS/core" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2019-021", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-021" }, { "reference_url": "https://github.com/advisories/GHSA-95qm-3xp7-vfj5", "reference_id": "GHSA-95qm-3xp7-vfj5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-95qm-3xp7-vfj5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81682?format=api", "purl": "pkg:composer/typo3/cms-core@8.7.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/77263?format=api", "purl": "pkg:composer/typo3/cms-core@9.5.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/81684?format=api", "purl": "pkg:composer/typo3/cms-core@10.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bcbd-zzet-mff6" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-r3az-g422-gqf9" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.2.1" } ], "aliases": [ "GHSA-95qm-3xp7-vfj5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ygw1-vqxg-z3h3" } ], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.12" }