Search for packages
| purl | pkg:composer/typo3/cms@4.5.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1c26-d6gv-4ud4
Aliases: CVE-2011-4904 GHSA-qf79-34j4-54m6 |
Improper Input Validation TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services. |
Affected by 0 other vulnerabilities. |
|
VCID-2zuf-yf2d-t3hg
Aliases: CVE-2011-4630 GHSA-29wr-24h5-95r5 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the browse_links wizard. |
Affected by 0 other vulnerabilities. |
|
VCID-57cn-dmzh-4kdq
Aliases: CVE-2012-2112 GHSA-qfr3-29w6-hwpg |
Typo3 Exception Handler XSS Cross-site scripting (XSS) vulnerability in the Exception Handler in TYPO3 4.4.x before 4.4.15, 4.5.x before 4.5.15, 4.6.x before 4.6.8, and 4.7 allows remote attackers to inject arbitrary web script or HTML via exception messages. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-59zz-tmvz-sqgm
Aliases: GHSA-mxjf-hc9v-xgv2 |
ExtJS JavaScript framework used in TYPO3 vulnerable to Cross-site Scripting Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-88ng-ph1q-cybw
Aliases: CVE-2012-1608 GHSA-w3v6-r62r-fvqh |
Improper Input Validation The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable characters. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8fcj-b2dq-3qav
Aliases: CVE-2012-6146 GHSA-2hp4-8h6h-93rr |
Typo3 Backend History Module Vulnerable to XSS The Backend History Module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 does not properly restrict access, which allows remote authenticated editors to read the history of arbitrary records via a crafted URL. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-93v3-exum-5qf5
Aliases: CVE-2011-4628 GHSA-79gv-5cgx-x6rx |
Improper Authentication TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted request. |
Affected by 0 other vulnerabilities. |
|
VCID-99uu-rfrf-bqa7
Aliases: CVE-2014-9508 GHSA-v6xv-rmqc-wcc8 |
Typo3 Open Redirect In Frontend Rendering The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, allows remote attackers to change URLs to arbitrary domains. An attacker could forge a request which modifies anchor only links on the homepage of a TYPO3 installation such that they point to arbitrary domains, if the configuration option `config.prefixLocalAnchors` is used with any possible value. TYPO3 versions 4.6.x and higher are only affected if the homepage is not a shortcut to a different page. As an additional pre-condition, URL rewriting must be enabled in the web server (which it typically is) when using extensions like realurl or cooluri. Installations where `config.absRefPrefix` is additionally set to any value are not affected by this vulnerability. Example of affected configuration: ```php config.absRefPrefix = config.prefixLocalAnchors = all page = PAGE page.10 = TEXT page.10.value = <a href="#skiplinks">Skiplinks</a> .htaccess: RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-l RewriteRule .* index.php [L] ``` |
Affected by 0 other vulnerabilities. Affected by 95 other vulnerabilities. Affected by 61 other vulnerabilities. |
|
VCID-9j2h-q1n5-kbgt
Aliases: CVE-2014-3943 GHSA-qqh2-h6gw-6x8x |
Typo3 XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-b7s9-hkwv-63ht
Aliases: CVE-2012-3530 GHSA-94c2-g68f-9r98 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Incomplete block list vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain HTML5 JavaScript events. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-d79s-4kzk-hugy
Aliases: CVE-2014-3941 GHSA-594h-cx6w-p4jf |
Typo3 Host Header Spoofing Vulnerability TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing." |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-dban-xxn2-f3b2
Aliases: CVE-2012-6144 GHSA-947m-vgqc-x6v4 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to execute arbitrary SQL commands via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fprf-zjud-8fcv
Aliases: CVE-2012-1606 GHSA-7wwr-p84q-qr3q |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fv74-gq28-rkd5
Aliases: CVE-2012-1605 GHSA-7jfm-px59-99w8 |
Typo3 Extbase Framework Unsafe Deserialization The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature (HMAC) for a request argument." |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-g75m-m11u-7fbj
Aliases: CVE-2012-3531 GHSA-p9wg-jvj4-cx26 |
Typo3 Install Tool XSS Vulnerability Cross-site scripting (XSS) vulnerability in the Install Tool in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-hpju-vhzg-jyes
Aliases: GHSA-45xg-4w5x-j429 |
TYPO3 Arbitrary Shell Execution in Swiftmailer library The swiftmailer library in use allows to execute arbitrary shell commands if the "From" header comes from a non-trusted source and no "Return-Path" is configured. Affected are only TYPO3 installation the configuration option ``` $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport'] ``` is set to "sendmail". Installations with the default configuration are not affected. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 100 other vulnerabilities. |
|
VCID-jb2j-eygc-n7b7
Aliases: CVE-2012-6148 GHSA-rgf6-9q7g-55qg |
Typo3 Function Menu API XSS Vulnerability Cross-site scripting (XSS) vulnerability in the function menu API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jk5g-64sn-ffgx
Aliases: CVE-2011-4627 GHSA-frf4-5p2c-c3ff |
Exposure of Sensitive Information to an Unauthorized Actor TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the backend. |
Affected by 0 other vulnerabilities. |
|
VCID-m3dg-q4eg-wyfb
Aliases: CVE-2014-3942 GHSA-55g3-fjwm-w2c8 |
TYPO3 Color Picker Wizard component allows remote authenticated editors to execute arbitrary PHP code The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-n177-3cym-d7e7
Aliases: CVE-2011-4632 GHSA-h86g-796f-hhfq |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message. |
Affected by 0 other vulnerabilities. |
|
VCID-nvd8-5j51-2yeg
Aliases: CVE-2011-4902 GHSA-9vxq-mxw5-mcgp |
Improper Input Validation TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver. |
Affected by 0 other vulnerabilities. |
|
VCID-p8m8-y53c-cubn
Aliases: CVE-2013-7073 GHSA-4rpv-g4gq-rh4m |
TYPO3 vulnerable to Information Disclosure via Content Editing Wizards component The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-tu8v-rv87-wfa3
Aliases: CVE-2011-4903 GHSA-q22w-r5qq-v3wf |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function. |
Affected by 0 other vulnerabilities. |
|
VCID-v3xx-f132-g3hn
Aliases: CVE-2012-3529 GHSA-7gg8-3r6j-5g55 |
Typo3 Backend Configuration XSS Vulnerability The configuration module in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to obtain the encryption key via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vbbx-pk8m-jfhd
Aliases: CVE-2014-9509 GHSA-5479-gqqr-f9gj |
Typo3 Vulnerable to Cache Poisoning **Problem Description:** A request URL with arbitrary arguments, but still pointing to the home page of a TYPO3 installation can be cached if the configuration option `config.prefixLocalAnchors` is used with the values "all" or "cached". The impact of this vulnerability is that unfamiliar looking links to the home page can end up in the cache, which leads to a reload of the page in the browser when section links are followed by web page visitors, instead of just directly jumping to the requested section of the page. TYPO3 versions 4.6.x and higher are only affected if the homepage is not a shortcut to a different page. **Solution:** Removing the configuration options `config.prefixLocalAnchors` (and optionally also config.baseUrl) in favor of `config.absRefPrefix` **Credits:** Thanks to Gernot Leitgab who discovered and reported the vulnerability. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 95 other vulnerabilities. Affected by 61 other vulnerabilities. |
|
VCID-xb19-n4s4-rqc9
Aliases: CVE-2011-3583 GHSA-gx4p-6w86-f8jx |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input. | There are no reported fixed by versions. |
|
VCID-xns2-f7um-qqgn
Aliases: CVE-2012-6147 GHSA-qmmw-ch2q-j6xx |
Typo3 Backend API XSS Vulnerability Cross-site scripting (XSS) vulnerability in the tree render API (TCA-Tree) in the Backend API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y6zm-rwrr-m3ah
Aliases: CVE-2012-6145 GHSA-w563-rq37-cvq5 |
Typo3 Backend History Module Vulnerable to XSS Cross-site scripting (XSS) vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y9d1-wwne-hba5
Aliases: CVE-2013-7074 GHSA-r8m7-792j-5jvq |
several |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ybdc-993m-aqfu
Aliases: CVE-2011-4901 GHSA-8grp-3j5v-543g |
Exposure of Sensitive Information to an Unauthorized Actor TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database. |
Affected by 0 other vulnerabilities. |
|
VCID-yk4b-baue-rkbt
Aliases: CVE-2012-1607 GHSA-q68v-vcjg-r3vp |
TYPO3 allows remote attackers to obtain the database name via a direct request The Command Line Interface (CLI) script in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to obtain the database name via a direct request. | There are no reported fixed by versions. |
|
VCID-yytp-t23g-wkc8
Aliases: CVE-2012-3527 GHSA-m4hw-r893-xh4g |
TYPO3 allows remote authenticated backend users to unserialize arbitrary objects view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)." |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zbvd-rppy-gyab
Aliases: CVE-2012-3528 GHSA-7w6c-5pr4-7qvp |
Typo3 Backend XSS Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zqqe-vew2-nbfk
Aliases: CVE-2013-7075 GHSA-47ww-mq32-g4xw |
TYPO3 vulnerable to Insecure Unserialize via Content Editing Wizards component The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified impacts via an unspecified parameter, related to a "missing signature." |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||