{"url":"http://public2.vulnerablecode.io/api/packages/77267?format=json","purl":"pkg:composer/typo3/cms@10.4.2","type":"composer","namespace":"typo3","name":"cms","version":"10.4.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"10.4.14","latest_non_vulnerable_version":"12.2.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54229?format=json","vulnerability_id":"VCID-1ffs-9vj5-27hk","summary":"Path Traversal\nDue to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default `_fileDenyPattern_` successfully blocked files like `_.htaccess_` or `_malicious.php_`. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21357","reference_id":"","reference_type":"","scores":[{"value":"0.01121","scoring_system":"epss","scoring_elements":"0.78584","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21357"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21357.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21357.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21357.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21357.yaml"},{"reference_url":"https://packagist.org/packages/typo3/cms-form","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-form"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-003","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-003"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21357","reference_id":"CVE-2021-21357","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21357"},{"reference_url":"https://github.com/advisories/GHSA-3vg7-jw9m-pc3f","reference_id":"GHSA-3vg7-jw9m-pc3f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3vg7-jw9m-pc3f"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3vg7-jw9m-pc3f","reference_id":"GHSA-3vg7-jw9m-pc3f","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3vg7-jw9m-pc3f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80033?format=json","purl":"pkg:composer/typo3/cms@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80034?format=json","purl":"pkg:composer/typo3/cms@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@11.1.1"}],"aliases":["CVE-2021-21357","GHSA-3vg7-jw9m-pc3f"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1ffs-9vj5-27hk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52849?format=json","vulnerability_id":"VCID-1sfk-z8py-ykb8","summary":"Deserialization of Untrusted Data\nIn TYPO3 CMS, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid backend user session (authenticated).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15098","reference_id":"","reference_type":"","scores":[{"value":"0.02358","scoring_system":"epss","scoring_elements":"0.85213","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15098"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15098.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15098.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15098.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15098.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/commit/85d3e70dff35a99ef53f4b561114acfa9e5c47e1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/commit/85d3e70dff35a99ef53f4b561114acfa9e5c47e1"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2016-013","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2016-013"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-008","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-008"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-5091","reference_id":"CVE-2016-5091","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-5091"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15098","reference_id":"CVE-2020-15098","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15098"},{"reference_url":"https://github.com/advisories/GHSA-m5vr-3m74-jwxp","reference_id":"GHSA-m5vr-3m74-jwxp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m5vr-3m74-jwxp"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-m5vr-3m74-jwxp","reference_id":"GHSA-m5vr-3m74-jwxp","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-m5vr-3m74-jwxp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77759?format=json","purl":"pkg:composer/typo3/cms@10.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-2tz2-8qdm-2kcv"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.6"}],"aliases":["CVE-2020-15098","GHSA-m5vr-3m74-jwxp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1sfk-z8py-ykb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53814?format=json","vulnerability_id":"VCID-2tz2-8qdm-2kcv","summary":"Improper Restriction of XML External Entity Reference\nTYPO3 is an open source PHP based web content management system. In TYPO3 from, and, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26229","reference_id":"","reference_type":"","scores":[{"value":"0.0027","scoring_system":"epss","scoring_elements":"0.50689","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26229"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26229.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26229.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26229.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26229.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-012","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-012"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26229","reference_id":"CVE-2020-26229","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26229"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79197?format=json","purl":"pkg:composer/typo3/cms@10.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.10"}],"aliases":["CVE-2020-26229","GHSA-q9cp-mc96-m4w2"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2tz2-8qdm-2kcv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53819?format=json","vulnerability_id":"VCID-4an7-9ph4-mkd4","summary":"Cleartext Storage of Sensitive Information\nTYPO3 is an open source PHP based web content management system. In TYPO3 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26228","reference_id":"","reference_type":"","scores":[{"value":"0.00177","scoring_system":"epss","scoring_elements":"0.39002","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26228"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26228.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26228.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26228.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26228.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-011","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-011"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26228","reference_id":"CVE-2020-26228","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26228"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79197?format=json","purl":"pkg:composer/typo3/cms@10.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.10"}],"aliases":["CVE-2020-26228","GHSA-954j-f27r-cj52"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4an7-9ph4-mkd4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54218?format=json","vulnerability_id":"VCID-6mnf-2fcw-dqgp","summary":"Asymmetric Resource Consumption (Amplification)\nRequesting invalid or non-existing resources via HTTP, triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21359","reference_id":"","reference_type":"","scores":[{"value":"0.00589","scoring_system":"epss","scoring_elements":"0.69527","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21359"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p"},{"reference_url":"https://packagist.org/packages/typo3/cms-core","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-core"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-005","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-005"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21359","reference_id":"CVE-2021-21359","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21359"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80033?format=json","purl":"pkg:composer/typo3/cms@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80034?format=json","purl":"pkg:composer/typo3/cms@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@11.1.1"}],"aliases":["CVE-2021-21359","GHSA-4p9g-qgx9-397p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6mnf-2fcw-dqgp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54226?format=json","vulnerability_id":"VCID-6urp-p9mn-cffv","summary":"Cross-site Scripting\nDatabase fields used as `_descriptionColumn_` are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21340","reference_id":"","reference_type":"","scores":[{"value":"0.00379","scoring_system":"epss","scoring_elements":"0.59738","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21340"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21340.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21340.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21340.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21340.yaml"},{"reference_url":"https://packagist.org/packages/typo3/cms-backend","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-backend"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-007","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-007"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21340","reference_id":"CVE-2021-21340","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21340"},{"reference_url":"https://github.com/advisories/GHSA-fjh3-g8gq-9q92","reference_id":"GHSA-fjh3-g8gq-9q92","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fjh3-g8gq-9q92"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-fjh3-g8gq-9q92","reference_id":"GHSA-fjh3-g8gq-9q92","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-fjh3-g8gq-9q92"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80033?format=json","purl":"pkg:composer/typo3/cms@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80034?format=json","purl":"pkg:composer/typo3/cms@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@11.1.1"}],"aliases":["CVE-2021-21340","GHSA-fjh3-g8gq-9q92"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6urp-p9mn-cffv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54219?format=json","vulnerability_id":"VCID-848u-w88s-5bbe","summary":"Unrestricted Upload of File with Dangerous Type\nDue to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default `_fileDenyPattern_` successfully blocked files like `_.htaccess_` or `_malicious.php_`. Additionally, `_UploadedFileReferenceConverter_` transforming uploaded files into proper FileReference domain model objects handles possible file uploads for other extensions as well - given those extensions use the Extbase MVC framework, make use of FileReference items in their direct or inherited domain model definitions and did not implement their own type converter. In case this scenario applies, `_UploadedFileReferenceConverter_` accepts any file mime-type and persists files in the default location. In any way, uploaded files are placed in the default location `_/fileadmin/user_upload/_`, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21355","reference_id":"","reference_type":"","scores":[{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.62059","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21355"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21355.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21355.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21355.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21355.yaml"},{"reference_url":"https://packagist.org/packages/typo3/cms-form","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-form"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-002","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-002"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21355","reference_id":"CVE-2021-21355","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21355"},{"reference_url":"https://github.com/advisories/GHSA-2r6j-862c-m2v2","reference_id":"GHSA-2r6j-862c-m2v2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2r6j-862c-m2v2"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2","reference_id":"GHSA-2r6j-862c-m2v2","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80033?format=json","purl":"pkg:composer/typo3/cms@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80034?format=json","purl":"pkg:composer/typo3/cms@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@11.1.1"}],"aliases":["CVE-2021-21355","GHSA-2r6j-862c-m2v2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-848u-w88s-5bbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54223?format=json","vulnerability_id":"VCID-c46m-ht19-ybc4","summary":"Cross-site Scripting\nThe Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21358","reference_id":"","reference_type":"","scores":[{"value":"0.00379","scoring_system":"epss","scoring_elements":"0.59738","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21358"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21358.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21358.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21358.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21358.yaml"},{"reference_url":"https://packagist.org/packages/typo3/cms-form","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-form"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-004","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-004"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21358","reference_id":"CVE-2021-21358","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21358"},{"reference_url":"https://github.com/advisories/GHSA-x79j-wgqv-g8h2","reference_id":"GHSA-x79j-wgqv-g8h2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x79j-wgqv-g8h2"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x79j-wgqv-g8h2","reference_id":"GHSA-x79j-wgqv-g8h2","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x79j-wgqv-g8h2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80033?format=json","purl":"pkg:composer/typo3/cms@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80034?format=json","purl":"pkg:composer/typo3/cms@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@11.1.1"}],"aliases":["CVE-2021-21358","GHSA-x79j-wgqv-g8h2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c46m-ht19-ybc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54233?format=json","vulnerability_id":"VCID-ev4k-5k1d-2bhu","summary":"URL Redirection to Untrusted Site (Open Redirect)\nLogin Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21338","reference_id":"","reference_type":"","scores":[{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48774","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21338"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21338.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21338.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21338.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21338.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4jhw-2p6j-5wmp","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4jhw-2p6j-5wmp"},{"reference_url":"https://packagist.org/packages/typo3/cms-core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-core"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-001","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-001"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21338","reference_id":"CVE-2021-21338","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21338"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80033?format=json","purl":"pkg:composer/typo3/cms@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80034?format=json","purl":"pkg:composer/typo3/cms@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@11.1.1"}],"aliases":["CVE-2021-21338","GHSA-4jhw-2p6j-5wmp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ev4k-5k1d-2bhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54220?format=json","vulnerability_id":"VCID-fqkx-v8t5-q3h6","summary":"Cleartext Storage of Sensitive Information\nUser session identifiers are stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - for example SQL injection in any other component of the system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21339","reference_id":"","reference_type":"","scores":[{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32224","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21339"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21339.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21339.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21339.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21339.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch"},{"reference_url":"https://packagist.org/packages/typo3/cms-core","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-core"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-006","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-006"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21339","reference_id":"CVE-2021-21339","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21339"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80033?format=json","purl":"pkg:composer/typo3/cms@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80034?format=json","purl":"pkg:composer/typo3/cms@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@11.1.1"}],"aliases":["CVE-2021-21339","GHSA-qx3w-4864-94ch"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fqkx-v8t5-q3h6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54221?format=json","vulnerability_id":"VCID-jp1p-rfxa-hyd9","summary":"Cross-site Scripting\nContent elements of type `_menu_` are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21370","reference_id":"","reference_type":"","scores":[{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.57112","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21370"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21370.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21370.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21370.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21370.yaml"},{"reference_url":"https://packagist.org/packages/typo3/cms-backend","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-backend"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-008","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-008"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21370","reference_id":"CVE-2021-21370","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21370"},{"reference_url":"https://github.com/advisories/GHSA-x7hc-x7fm-f7qh","reference_id":"GHSA-x7hc-x7fm-f7qh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x7hc-x7fm-f7qh"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh","reference_id":"GHSA-x7hc-x7fm-f7qh","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80033?format=json","purl":"pkg:composer/typo3/cms@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80034?format=json","purl":"pkg:composer/typo3/cms@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@11.1.1"}],"aliases":["CVE-2021-21370","GHSA-x7hc-x7fm-f7qh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jp1p-rfxa-hyd9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53815?format=json","vulnerability_id":"VCID-tgyt-axv1-c7ag","summary":"Cross-site Scripting\nTYPO3 is an open source PHP based web content management system. In TYPO3 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 that fix the problem described.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26227","reference_id":"","reference_type":"","scores":[{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.5838","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26227"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26227.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26227.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26227.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26227.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-vqqx-jw6p-q3rf","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-vqqx-jw6p-q3rf"},{"reference_url":"https://packagist.org/packages/typo3/cms-core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-core"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-010","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-010"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26227","reference_id":"CVE-2020-26227","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26227"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79197?format=json","purl":"pkg:composer/typo3/cms@10.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.10"}],"aliases":["CVE-2020-26227","GHSA-vqqx-jw6p-q3rf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tgyt-axv1-c7ag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52851?format=json","vulnerability_id":"VCID-zkvq-bms4-gfcv","summary":"Improper Input Validation\nIn TYPO3 CMS, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1), it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch `typo3conf/LocalConfiguration.php`, which again contains the `encryptionKey` as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows the ability to completely retrieve, manipulate or delete database contents. This includes creating an administration user account which can be used to trigger remote code execution by injecting custom extensions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15099","reference_id":"","reference_type":"","scores":[{"value":"0.01187","scoring_system":"epss","scoring_elements":"0.79142","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15099"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15099.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15099.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15099.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15099.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-007","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-007"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15099","reference_id":"CVE-2020-15099","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15099"},{"reference_url":"https://github.com/advisories/GHSA-3x94-fv5h-5q2c","reference_id":"GHSA-3x94-fv5h-5q2c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3x94-fv5h-5q2c"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3x94-fv5h-5q2c","reference_id":"GHSA-3x94-fv5h-5q2c","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3x94-fv5h-5q2c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77759?format=json","purl":"pkg:composer/typo3/cms@10.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-2tz2-8qdm-2kcv"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.6"}],"aliases":["CVE-2020-15099","GHSA-3x94-fv5h-5q2c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zkvq-bms4-gfcv"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52603?format=json","vulnerability_id":"VCID-8w4e-d49b-nbg8","summary":"Cross-Site Request Forgery (CSRF)\nIn TYPO3 CMS, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS). Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g., file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11069","reference_id":"","reference_type":"","scores":[{"value":"0.00398","scoring_system":"epss","scoring_elements":"0.60932","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11069"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11069.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11069.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11069.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11069.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-pqg8-crx9-g8m4","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-pqg8-crx9-g8m4"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-006","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-006"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11069","reference_id":"CVE-2020-11069","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11069"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77270?format=json","purl":"pkg:composer/typo3/cms@9.5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.17"},{"url":"http://public2.vulnerablecode.io/api/packages/77267?format=json","purl":"pkg:composer/typo3/cms@10.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-2tz2-8qdm-2kcv"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.2"}],"aliases":["CVE-2020-11069","GHSA-pqg8-crx9-g8m4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8w4e-d49b-nbg8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52596?format=json","vulnerability_id":"VCID-bbh5-rss8-bfct","summary":"Deserialization of Untrusted Data\nIt has been discovered that backend user settings (in `$BE_USER->uc`) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11067","reference_id":"","reference_type":"","scores":[{"value":"0.01181","scoring_system":"epss","scoring_elements":"0.79096","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11067"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11067.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11067.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11067.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11067.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2wj9-434x-9hvp","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2wj9-434x-9hvp"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-005","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-005"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11067","reference_id":"CVE-2020-11067","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11067"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77270?format=json","purl":"pkg:composer/typo3/cms@9.5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.17"},{"url":"http://public2.vulnerablecode.io/api/packages/77267?format=json","purl":"pkg:composer/typo3/cms@10.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-2tz2-8qdm-2kcv"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.2"}],"aliases":["CVE-2020-11067","GHSA-2wj9-434x-9hvp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bbh5-rss8-bfct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52592?format=json","vulnerability_id":"VCID-bcbd-zzet-mff6","summary":"Cross-site Scripting\nIt has been discovered that link tags generated by the typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11065","reference_id":"","reference_type":"","scores":[{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42771","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11065"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11065.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11065.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11065.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11065.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4j77-gg36-9864","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4j77-gg36-9864"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-003","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-003"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11065","reference_id":"CVE-2020-11065","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11065"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77270?format=json","purl":"pkg:composer/typo3/cms@9.5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.17"},{"url":"http://public2.vulnerablecode.io/api/packages/77267?format=json","purl":"pkg:composer/typo3/cms@10.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-2tz2-8qdm-2kcv"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.2"}],"aliases":["CVE-2020-11065","GHSA-4j77-gg36-9864"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bcbd-zzet-mff6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52602?format=json","vulnerability_id":"VCID-e6zr-4bgg-kkh5","summary":"Improperly Controlled Modification of Dynamically-Determined Object Attributes\nCalling `unserialize()` on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the website (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11066","reference_id":"","reference_type":"","scores":[{"value":"0.00528","scoring_system":"epss","scoring_elements":"0.67492","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11066"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2rxh-h6h9-qrqc","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2rxh-h6h9-qrqc"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-004","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-004"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11066","reference_id":"CVE-2020-11066","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11066"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77270?format=json","purl":"pkg:composer/typo3/cms@9.5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.17"},{"url":"http://public2.vulnerablecode.io/api/packages/77267?format=json","purl":"pkg:composer/typo3/cms@10.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-2tz2-8qdm-2kcv"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.2"}],"aliases":["CVE-2020-11066","GHSA-2rxh-h6h9-qrqc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e6zr-4bgg-kkh5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52593?format=json","vulnerability_id":"VCID-n1gz-y615-cbbk","summary":"Cross-site Scripting\nIt has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11064","reference_id":"","reference_type":"","scores":[{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42771","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11064"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11064.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11064.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11064.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11064.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-43gj-mj2w-wh46","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-43gj-mj2w-wh46"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-002","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-002"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11064","reference_id":"CVE-2020-11064","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11064"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77270?format=json","purl":"pkg:composer/typo3/cms@9.5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.17"},{"url":"http://public2.vulnerablecode.io/api/packages/77267?format=json","purl":"pkg:composer/typo3/cms@10.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-2tz2-8qdm-2kcv"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.2"}],"aliases":["CVE-2020-11064","GHSA-43gj-mj2w-wh46"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n1gz-y615-cbbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52594?format=json","vulnerability_id":"VCID-r3az-g422-gqf9","summary":"Information Disclosure in Password Reset\nIn TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts.\n\nThis has been fixed in 10.4.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11063","reference_id":"","reference_type":"","scores":[{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52817","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11063"},{"reference_url":"https://github.com/TYPO3/typo3","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/typo3"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-347x-877p-hcwx","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-347x-877p-hcwx"},{"reference_url":"https://github.com/TYPO3/typo3/commit/14929b98ecda0ce67329b0f25ca7c01ee85df574","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/typo3/commit/14929b98ecda0ce67329b0f25ca7c01ee85df574"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-001","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-001"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11063","reference_id":"CVE-2020-11063","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11063"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11063.yaml","reference_id":"CVE-2020-11063.YAML","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11063.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11063.yaml","reference_id":"CVE-2020-11063.YAML","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11063.yaml"},{"reference_url":"https://github.com/advisories/GHSA-347x-877p-hcwx","reference_id":"GHSA-347x-877p-hcwx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-347x-877p-hcwx"},{"reference_url":"https://github.com/TYPO3/typo3/security/advisories/GHSA-347x-877p-hcwx","reference_id":"GHSA-347x-877p-hcwx","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/typo3/security/advisories/GHSA-347x-877p-hcwx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77267?format=json","purl":"pkg:composer/typo3/cms@10.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-2tz2-8qdm-2kcv"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.2"}],"aliases":["CVE-2020-11063","GHSA-347x-877p-hcwx"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r3az-g422-gqf9"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@10.4.2"}