Search for packages
| purl | pkg:composer/typo3/cms-core@12.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1r9g-c5rn-ukgb
Aliases: CVE-2025-47940 GHSA-6frx-j292-c844 |
TYPO3 Allows Privilege Escalation to System Maintainer ### Problem Administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account. ### Solution Update to TYPO3 versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described. ### Credits Thanks to Alexander Künzl for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-4hsv-y3rz-e3a2
Aliases: CVE-2023-30451 GHSA-3gjc-mp82-fj4q GHSA-w6x2-jg8h-p6mp |
Path Traversal in TYPO3 File Abstraction Layer Storages ### Problem Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in `BE/lockRootPath` was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. #### ℹ️ **Strong security defaults - Manual actions required** _see [Important: #102800 changelog](https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/11.5.x/Important-102800-FileAbstractionLayerEnforcesAbsolutePathsToMatchProjectRootOrLockRootPath.html)_ Assuming that a web project is located in the directory `/var/www/example.org` (the "project root path" for Composer-based projects) and the publicly accessible directory is located at `/var/www/example.org/public` (the "public root path"), accessing resources via the File Abstraction Layer component is limited to the mentioned directories. To grant additional access to directories, they must be explicitly configured in the system settings of `$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']` - either using the Install Tool or according to deployment techniques. The existing setting has been extended to support multiple directories configured as an array of strings. Example: ```php $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] = [ ‘/var/shared/documents/’, ‘/var/shared/images/’, ]; ``` ❗ **Storages that reference directories not explicitly granted will be marked as "offline" internally - no resources can be used in the website's frontend and backend context.** ### Credits Thanks to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-001](https://typo3.org/security/advisory/typo3-core-sa-2024-001) |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-4t9s-p25a-cfas
Aliases: CVE-2025-47939 GHSA-9hq9-cr36-4wpj |
TYPO3 Allows Unrestricted File Upload in File Abstraction Layer ### Problem By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example, a file incorrectly named with a `.png` extension but actually carrying the MIME type `application/zip`). Although such files are not directly executable through the web server, their presence can introduce indirect risks. For example, third-party services such as antivirus scanners or malware detection systems might flag or block access to the website for end users if suspicious files are found. This could negatively affect the availability or reputation of the site. ### Solution Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described. > [!NOTE] > The mitigation strategies outlined below apply broadly to all file uploads handled through TYPO3's File Abstraction Layer (FAL), not just those performed via the backend interface. This means that any extension or custom integration leveraging FAL will also be subject to the new validation rules and configuration options. Developers are advised to review the implications for their code and refer to the [documentation of that change](https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/12.4.x/Important-106240-EnforceFile-extensionsAndMime-typeConsistencyInFileAbstractionLayer.html) for guidance. > [!IMPORTANT] > > **Strong security defaults - Manual actions required** > > These versions introduce new configuration options to better control which files are permitted for upload and to improve consistency checks. > > A new configuration option, `$GLOBALS['TYPO3_CONF_VARS']['SYS']['miscfile_ext']`, has been added. This option allows administrators to explicitly define which file extensions should be permitted that are not already part of the built-in text or media file groups - examples include archive formats such as `zip` or `xz`. > > In addition, two new feature flags have been introduced to enhance security: > * `security.system.enforceAllowedFileExtensions`, enforces the defined list of allowed file extensions. This flag is enabled by default in new TYPO3 installations, but remains disabled in existing installations to prevent breaking changes. > * `security.system.enforceFileExtensionMimeTypeConsistency`, ensures that the uploaded file’s extension matches its actual MIME type, providing further validation of file integrity. This flag is active by default. > > It is recommended to configure the allowed file extensions via `$GLOBALS['TYPO3_CONF_VARS']['SYS']['miscfile_ext']` and to enable the feature flag `security.system.enforceAllowedFileExtensions` to enforce the restriction. ### Credits Thanks to Hamed Kohi for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-65ue-7jd9-23gf
Aliases: CVE-2025-47938 GHSA-3jrg-97f3-rqh9 |
TYPO3 Unverified Password Change for Backend Users ### Problem The backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification. This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication. ### Solution Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described. > [!NOTE] > In these versions, administrators are required to verify their identity through step-up authentication (also known as sudo mode) when changing backend user passwords. ### Credits Thanks to the National Cyber Security Center (NCSC) of Switzerland for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-8d2m-1ffv-jqe1
Aliases: CVE-2024-34356 GHSA-v6mw-h7w6-59w3 |
TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module ### Problem The form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to the form module. ### Solution Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described. ### Credits Thanks to TYPO3 core & security team member Benjamin Franzke who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2024-008](https://typo3.org/security/advisory/typo3-core-sa-2024-008) |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-8sdd-b1bn-cuhx
Aliases: CVE-2022-23502 GHSA-mgj2-q8wp-29rr GMS-2022-8135 |
TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset ### Problem When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. ### Solution Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-014](https://typo3.org/security/advisory/typo3-core-sa-2022-014) |
Affected by 18 other vulnerabilities. |
|
VCID-axvk-13qf-tka7
Aliases: CVE-2024-22188 GHSA-5w2h-59j3-8x5w |
TYPO3 Install Tool vulnerable to Code Execution ### Problem Several settings in the Install Tool for configuring the path to system binaries were vulnerable to code execution. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. The corresponding change for this advisory involves enforcing the known disadvantages described in [TYPO3-PSA-2020-002: Protecting Install Tool with Sudo Mode](https://typo3.org/security/advisory/typo3-psa-2020-002). ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to Rickmer Frier & Daniel Jonka who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-002](https://typo3.org/security/advisory/typo3-core-sa-2024-002) |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-g4uc-qeb6-myed
Aliases: CVE-2024-25119 GHSA-h47m-3f78-qp9g |
TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key ### Problem The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-004](https://typo3.org/security/advisory/typo3-core-sa-2024-004) |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-gv1b-xtv4-4yg3
Aliases: CVE-2024-25118 GHSA-38r2-5695-334w |
TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords ### Problem Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to the TYPO3 framework merger Christian Kuhn and external security researchers Maximilian Beckmann, Klaus-Günther Schmidt who reported this issue, and TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2024-003](https://typo3.org/security/advisory/typo3-core-sa-2024-003) |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-gyyu-n3b1-zbcj
Aliases: CVE-2026-0859 GHSA-7vp9-x248-9vr9 |
TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool ### Problem Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server. The vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue. ### Solution Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described. ### Credits Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it. ### References * [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-h6y3-7gsq-skh2
Aliases: CVE-2023-47127 GHSA-3vmm-7h4j-69rm |
TYPO3 vulnerable to Weak Authentication in Session Handling TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability has been addressed in versions 8.7.55, 9.5.44, 10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 15 other vulnerabilities. |
|
VCID-jxw7-skw6-q7bg
Aliases: CVE-2025-59015 GHSA-p5jq-5383-qvc7 |
TYPO3 CMS uses insufficient entropy when generating passwords A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-mud2-s4rc-fuf6
Aliases: CVE-2024-34358 GHSA-36g8-62qv-5957 |
TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController ### Problem The `ShowImageController` (_eID tx_cms_showpic_) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. ### Solution Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described. #### ℹ️ **Strong security defaults - Manual actions required** The `frame` HTTP query parameter is now ignored, since it could not be used by core APIs. The new feature flag `security.frontend.allowInsecureFrameOptionInShowImageController` – which is disabled per default – can be used to reactivate the previous behavior. ### Credits Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team members Benjamin Mack and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-010](https://typo3.org/security/advisory/typo3-core-sa-2024-010) |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-n7ng-zkkb-2qaz
Aliases: CVE-2024-25120 GHSA-wf85-8hx9-gj7c |
TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme ### Problem The TYPO3-specific [`t3://` URI scheme](https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references) could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-005](https://typo3.org/security/advisory/typo3-core-sa-2024-005) |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-nubu-f1sc-gbes
Aliases: CVE-2025-47937 GHSA-x8pv-fgxp-8v3x |
TYPO3 Allows Information Disclosure via DBAL Restriction Handling ### Problem When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the last table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. ### Solution Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described. ### Credits Thanks to Christian Futterlieb for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-qeus-f4wj-rubr
Aliases: CVE-2025-59016 GHSA-cvm2-5f78-g9m8 |
TYPO3 CMS exposes sensitive information in an error message Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-qzyk-7877-27a3
Aliases: CVE-2025-59013 GHSA-72jf-5fg5-3cw3 |
TYPO3 CMS has an open‑redirect vulnerability An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-t1n7-eswt-73gw
Aliases: CVE-2022-23503 GHSA-c5wx-6c2c-f7rm GMS-2022-8132 |
TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework ### Problem Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item (known as [`formDefinitionOverrides`](https://docs.typo3.org/c/typo3/cms-form/main/en-us/I/Concepts/FrontendRendering/Index.html#form-element-properties)) and a valid backend user account with access to the form module are needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-015](https://typo3.org/security/advisory/typo3-core-sa-2022-015) |
Affected by 18 other vulnerabilities. |
|
VCID-taj6-zj2n-5kg8
Aliases: CVE-2024-25121 GHSA-rj3x-wvc6-5j66 |
TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler ### Problem Entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. #### ℹ️ Strong security defaults - Manual actions required When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`. ### Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2024-006](https://typo3.org/security/advisory/typo3-core-sa-2024-006) |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-vyvy-y3cw-hbgr
Aliases: CVE-2023-24814 GHSA-r4f8-f93x-5qh3 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) is vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php is vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation. |
Affected by 17 other vulnerabilities. |
|
VCID-w13x-3rp9-wyej
Aliases: CVE-2022-23504 GHSA-8w3p-qh3x-6gjr GMS-2022-8131 |
TYPO3 CMS vulnerable to Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration > ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C` (5.3) ### Problem Due to the lack of handling user-submitted [YAML placeholder expressions](https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Configuration/Yaml/YamlApi.html#custom-placeholder-processing) in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2022-016](https://typo3.org/security/advisory/typo3-core-sa-2022-016) |
Affected by 18 other vulnerabilities. |
|
VCID-xy6y-312d-rygj
Aliases: CVE-2024-55892 GHSA-2fx5-pggv-6jjr |
TYPO3 Potential Open Redirect via Parsing Differences ### Problem Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks. ### Solution Update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. ### Credits Thanks to Sam Mush and Christian Eßl who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2025-002](https://typo3.org/security/advisory/typo3-core-sa-2025-002) |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-zdq2-dhb2-6kaq
Aliases: CVE-2022-23501 GHSA-jfp7-79g7-89rf GMS-2022-8134 |
TYPO3 CMS vulnerable to Weak Authentication in Frontend Login ### Problem Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-013](https://typo3.org/security/advisory/typo3-core-sa-2022-013) |
Affected by 18 other vulnerabilities. |
|
VCID-zn99-ywte-33g6
Aliases: CVE-2023-38499 GHSA-jq6g-4v5m-wm9r |
Improper Access Control TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem. |
Affected by 16 other vulnerabilities. |
|
VCID-zwgt-rm1f-6bf2
Aliases: CVE-2024-34357 GHSA-hw6c-6gwq-3m3m |
TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController ### Problem Failing to properly encode user-controlled values in file entities, the `ShowImageController` (_eID tx_cms_showpic_) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. ### Solution Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described. ### Credits Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2024-009](https://typo3.org/security/advisory/typo3-core-sa-2024-009) |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||