Search for packages
| purl | pkg:composer/typo3/cms@6.2.23 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1jcy-nx8g-z3d3
Aliases: 2016-11-22-1 |
Insecure Deserialization Insecure Unserialize in TYPO3 Backend. |
Affected by 10 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 46 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 92 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-1qjx-grvf-y7bk
Aliases: GHSA-c7rj-92xr-wprg |
Insecure Unserialize in TYPO3 Backend Failing to properly validate incoming data, the suggest wizard is susceptible to insecure unserialize. To exploit this vulnerability a valid backend user account is needed. |
Affected by 10 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 46 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 92 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-25t3-1sm6-3kdn
Aliases: 2016-09-14-1 |
Cross-site Scripting XSS in TYPO3 Backend. |
Affected by 16 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 102 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-435j-f3yx-9yep
Aliases: 2016-11-22-2 |
Path Traversal in TYPO3 Core. |
Affected by 10 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 46 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 92 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-5jgb-dsyx-hyb4
Aliases: CVE-2021-21338 GHSA-4jhw-2p6j-5wmp |
Open Redirection in Login Handling ### Problem It has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability. ### Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Alexander Kellner who reported this issue and to TYPO3 security team member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2021-001](https://typo3.org/security/advisory/typo3-core-sa-2021-001) |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability.
This version is affected by these other vulnerabilities:
Affected by 3 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 12 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 22 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 23 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-5ppt-avmb-cqb2
Aliases: 2016-09-14-2 |
Uncontrolled Resource Consumption Cache Flooding in TYPO3 Frontend. |
Affected by 16 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 102 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-6wsa-4ywc-8fh4
Aliases: GHSA-pw2q-qwvj-gh43 |
Cache Flooding in TYPO3 Frontend Links with a valid cHash argument lead to newly generated page cache entries. Because the cHash is not bound to a specific page, attackers could use valid cHash arguments for multiple pages, leading to additional useless page cache entries. Depending on the number of pages in the system and the number of available valid links with a cHash, attackers could add a considerable amount of additional cache entries, which in the end exceed storage limits and thus could lead to the system not responding any more. This means the Cache Flooding attack potentially could lead to a successful Denial of Service (DoS) attack. |
Affected by 16 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 98 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-7d1g-j3k5-gub8
Aliases: 2016-07-19-4 |
Information Disclosure in TYPO3 Backend. |
Affected by 20 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 56 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 101 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-8jp8-a363-67be
Aliases: GHSA-86r8-4g3w-7xjp |
Cross-Site Scripting in TYPO3 Backend Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability. |
Affected by 20 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 56 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 101 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-bck9-34jp-6ydx
Aliases: GHSA-vpr3-rc99-2wpr |
Information Disclosure in TYPO3 Backend The TYPO3 backend module stores the username of an authenticated backend user in its cache files. By guessing the file path to the cache files it is possible to receive valid backend usernames. |
Affected by 20 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 56 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 101 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-c6zq-cfg5-u7d9
Aliases: GHSA-gj48-w74w-8gvm GMS-2024-342 |
Path Traversal in TYPO3 Core Due to a too loose type check in an API method, attackers could bypass the directory traversal check by providing an invalid UTF-8 encoding sequence. |
Affected by 10 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 46 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 92 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-dsu7-jjjq-f3e1
Aliases: CVE-2021-21339 GHSA-qx3w-4864-94ch |
Cleartext storage of session identifier ### Problem User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. ### Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 core & security team members Benni Mack & Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-006](https://typo3.org/security/advisory/typo3-core-sa-2021-006) |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability.
This version is affected by these other vulnerabilities:
Affected by 3 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 12 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 22 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 23 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-f963-qur3-2qb7
Aliases: CVE-2020-26227 GHSA-vqqx-jw6p-q3rf |
Cross-Site Scripting in Fluid view helpers > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) > * CWE-79 ### Problem It has been discovered that system extension Fluid (`typo3/cms-fluid`) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. ``` <f:form ... fieldNamePrefix="{payload}" /> <f:be.labels.csh ... label="{payload}" /> <f:be.menus.actionMenu ... label="{payload}" /> ``` ### Solution Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 security team members Helmut Hummel & Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2020-010](https://typo3.org/security/advisory/typo3-core-sa-2020-010) |
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 122 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 0 other vulnerabilities. Affected by 18 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 30 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-fber-yp9q-f7dr
Aliases: 2016-05-24-1 |
Improper Access Control Missing Access Check in TYPO3 CMS. |
Affected by 32 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 70 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 113 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-gcnj-6qb6-pbgz
Aliases: CVE-2019-19848 GHSA-77p4-wfr8-977w |
TYPO3 Directory Traversal on ZIP extraction An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.) |
Affected by 16 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 27 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 41 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-gezz-pvpj-p3c6
Aliases: GHSA-gwfx-p7mr-f92v |
Missing Access Check in TYPO3 CMS Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute. |
Affected by 32 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 70 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 113 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-h2dd-7b1r-k7bs
Aliases: 2016-07-19-3 |
SQL Injection in TYPO3 Frontend Login. |
Affected by 20 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 56 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 122 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-h958-d3pm-kfcs
Aliases: TYPO3-CORE-SA-2016-013 |
Missing Access Check Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute. |
Affected by 33 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 70 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 113 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-hv3n-j8ck-1ufx
Aliases: GHSA-g4pf-3jvq-2gcw |
TYPO3 Remote Code Execution in third party library swiftmailer TYPO3 uses the package swiftmailer/swiftmailer for mail actions. This package is known to be vulnerable to Remote Code Execution. |
Affected by 8 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 45 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 94 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-jmu3-5k7e-x7ch
Aliases: TYPO3-CORE-SA-2016-021 |
Failing to properly encode user input, the page module is vulnerable to Cross-Site Scripting. A valid backend user account with permissions to edit plugins is needed to exploit this vulnerability. |
Affected by 16 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 122 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 98 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-jqx9-41zx-dbcy
Aliases: TYPO3-CORE-SA-2016-022 |
Cache Flooding in Frontend Links with a valid cHash argument lead to newly generated page cache entries. Because the cHash is not bound to a specific page, attackers could use valid cHash arguments for multiple pages, leading to additional useless page cache entries. Depending on the number of pages in the system and the number of available valid links with a cHash, attackers could add a considerable amount of additional cache entries, which in the end exceed storage limits and thus could lead to the system not responding any more. This means the Cache Flooding attack potentially could lead to a successful Denial of Service (DoS) attack. |
Affected by 16 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 122 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 98 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-m3nf-1qbv-d3dj
Aliases: 2016-07-19-2 |
Deserialization of Untrusted Data Insecure Unserialize in TYPO3 Import/Export. |
Affected by 20 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 56 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 101 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-mqk6-z77g-bfdv
Aliases: GHSA-hq37-rfjc-mr8h |
Cross-Site Scripting (XSS) in TYPO3 Backend Failing to properly encode user input, the page module is vulnerable to Cross-Site Scripting. A valid backend user account with permissions to edit plugins is needed to exploit this vulnerability. |
Affected by 16 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 98 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-n61z-6v8a-hygf
Aliases: GHSA-p5c5-gmj4-g48f |
Cross-Site Scripting (XSS) vulnerability in typolinks All link fields within the TYPO3 installation are vulnerable to Cross-Site Scripting as authorized editors can insert data commands by using the url scheme "data:". |
Affected by 20 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 56 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 101 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-nnh9-udcj-m7fv
Aliases: TYPO3-CORE-SA-2016-024 |
Path Traversal Due to a too loose type check in an API method, attackers could bypass the directory traversal check by providing an invalid UTF-8 encoding sequence. |
Affected by 10 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 46 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 92 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-nwxj-3ajk-rkh5
Aliases: CVE-2018-6905 GHSA-3w22-wrwx-2r75 |
Cross-site Scripting The page module in TYPO3 is vulnerable to XSS via `$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename']`, as demonstrated by an admin entering a crafted site name during the installation process. |
Affected by 76 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 92 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 92 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-p545-vwe6-9kfr
Aliases: GHSA-xvcp-33rc-j8gq |
Insecure Unserialize in TYPO3 Import/Export Failing to properly validate incoming import data, the Import/Export component is susceptible to insecure unserialize. To exploit this vulnerability a valid backend user account is needed. |
Affected by 20 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 56 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 101 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-prbd-r82t-87dm
Aliases: TYPO3-CORE-SA-2016-023 |
Insecure Unserialize in TYPO3 Backend Failing to properly validate incoming data, the suggest wizard is susceptible to insecure unserialize. To exploit this vulnerability a valid backend user account is needed. |
Affected by 10 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 46 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 92 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-q9ak-qcq6-qfhy
Aliases: 2017-01-03-1 |
Code Injection Remote Code Execution in third party library swiftmailer. |
Affected by 8 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 45 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 95 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-re9h-ze98-rbhu
Aliases: CVE-2020-8091 GHSA-qvhv-pwww-53jj |
Typo3 Cross-Site Scripting in Flash component (ELTS) TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 included a vulnerable external component, which could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. |
Affected by 0 other vulnerabilities. Affected by 60 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-rkms-w15c-4yb1
Aliases: GHSA-j86x-pjmr-9m6w |
SQL Injection in TYPO3 Frontend Login Failing to properly escape user input, the frontend login component is vulnerable to SQL Injection. A valid frontend user account is needed to exploit this vulnerability. |
Affected by 20 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 56 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-uckg-j48d-efad
Aliases: 2016-07-19-1 |
Cross-site Scripting Cross-Site Scripting in TYPO3 Backend. |
Affected by 20 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 56 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 101 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-utpu-q2dv-m3hm
Aliases: 2016-07-19-5 |
Cross-site Scripting Cross-Site Scripting vulnerability in typolinks. |
Affected by 20 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 56 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 101 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-xa4m-xpa9-v7h8
Aliases: CVE-2019-19849 GHSA-rcgc-4xfc-564v |
TYPO3 Insecure Deserialization in Query Generator & Query View An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges. |
Affected by 16 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 27 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 41 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 41 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-zdq2-dhb2-6kaq
Aliases: CVE-2022-23501 GHSA-jfp7-79g7-89rf GMS-2022-8134 |
TYPO3 CMS vulnerable to Weak Authentication in Frontend Login ### Problem Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-013](https://typo3.org/security/advisory/typo3-core-sa-2022-013) |
Affected by 1 other vulnerability.
This version is affected by these other vulnerabilities:
Affected by 1 other vulnerability.
This version is affected by these other vulnerabilities:
Affected by 1 other vulnerability.
This version is affected by these other vulnerabilities:
|
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||