Search for packages
| purl | pkg:composer/typo3/cms@6.0.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-635d-efe6-bbgm
Aliases: CVE-2013-4250 GHSA-54jj-pxx2-pv8h |
TYPO3 doesn't properly check file extensions The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9j2h-q1n5-kbgt
Aliases: CVE-2014-3943 GHSA-qqh2-h6gw-6x8x |
Typo3 XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-b5ht-z6zp-pbht
Aliases: CVE-2015-5956 GHSA-989h-wv8x-933p |
Cross-Site Scripting Vulnerability It has been discovered, that it is possible to forge a link to a backend module, which contains a JavaScript payload. This JavaScript is executed, if an authenticated editor with access to the module follows the link that, is tricked to click on a certain HTML target. Because TYPO3 include a secret token unknown to an attacker in every URL, an exploit would not be feasible for these versions. |
Affected by 79 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-d79s-4kzk-hugy
Aliases: CVE-2014-3941 GHSA-594h-cx6w-p4jf |
Typo3 Host Header Spoofing Vulnerability TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing." |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-m3dg-q4eg-wyfb
Aliases: CVE-2014-3942 GHSA-55g3-fjwm-w2c8 |
TYPO3 Color Picker Wizard component allows remote authenticated editors to execute arbitrary PHP code The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-nsh9-8twn-6ydn
Aliases: CVE-2013-4321 GHSA-m76j-69c2-c3m8 |
TYPO3 vulnerable to remote authenticated arbitrary code execution The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-p8m8-y53c-cubn
Aliases: CVE-2013-7073 GHSA-4rpv-g4gq-rh4m |
TYPO3 vulnerable to Information Disclosure via Content Editing Wizards component The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vbbx-pk8m-jfhd
Aliases: CVE-2014-9509 GHSA-5479-gqqr-f9gj |
Typo3 Vulnerable to Cache Poisoning **Problem Description:** A request URL with arbitrary arguments, but still pointing to the home page of a TYPO3 installation can be cached if the configuration option `config.prefixLocalAnchors` is used with the values "all" or "cached". The impact of this vulnerability is that unfamiliar looking links to the home page can end up in the cache, which leads to a reload of the page in the browser when section links are followed by web page visitors, instead of just directly jumping to the requested section of the page. TYPO3 versions 4.6.x and higher are only affected if the homepage is not a shortcut to a different page. **Solution:** Removing the configuration options `config.prefixLocalAnchors` (and optionally also config.baseUrl) in favor of `config.absRefPrefix` **Credits:** Thanks to Gernot Leitgab who discovered and reported the vulnerability. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 95 other vulnerabilities. Affected by 61 other vulnerabilities. |
|
VCID-y9d1-wwne-hba5
Aliases: CVE-2013-7074 GHSA-r8m7-792j-5jvq |
several |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zqqe-vew2-nbfk
Aliases: CVE-2013-7075 GHSA-47ww-mq32-g4xw |
TYPO3 vulnerable to Insecure Unserialize via Content Editing Wizards component The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified impacts via an unspecified parameter, related to a "missing signature." |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||