Search for packages
| purl | pkg:composer/typo3/cms@6.2.30 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2ypz-t2ty-c3e3
Aliases: CVE-2020-8091 GHSA-qvhv-pwww-53jj |
Typo3 Cross-Site Scripting in Flash component (ELTS) TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 included a vulnerable external component, which could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. |
Affected by 0 other vulnerabilities. Affected by 60 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-8mc9-ye3u-c3aj
Aliases: CVE-2019-19849 GHSA-rcgc-4xfc-564v |
TYPO3 Insecure Deserialization in Query Generator & Query View An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges. |
Affected by 16 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 27 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 41 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 41 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-d42j-347n-e7en
Aliases: CVE-2021-21338 GHSA-4jhw-2p6j-5wmp |
Open Redirection in Login Handling ### Problem It has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability. ### Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Alexander Kellner who reported this issue and to TYPO3 security team member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2021-001](https://typo3.org/security/advisory/typo3-core-sa-2021-001) |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability.
This version is affected by these other vulnerabilities:
Affected by 3 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 12 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 22 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 23 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-hg6g-kn76-bfbh
Aliases: CVE-2019-19848 GHSA-77p4-wfr8-977w |
TYPO3 Directory Traversal on ZIP extraction An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.) |
Affected by 16 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 27 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 41 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-jtuy-ex79-tfbu
Aliases: CVE-2018-6905 GHSA-3w22-wrwx-2r75 |
Typo3 XSS Vulnerability The page module in TYPO3 before 8.7.11 has XSS via `$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename']`, as demonstrated by an admin entering a crafted site name during the installation process. |
Affected by 76 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 92 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 92 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-kh9n-kuvd-pbat
Aliases: CVE-2022-23501 GHSA-jfp7-79g7-89rf |
TYPO3 CMS vulnerable to Weak Authentication in Frontend Login ### Problem Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-013](https://typo3.org/security/advisory/typo3-core-sa-2022-013) |
Affected by 1 other vulnerability.
This version is affected by these other vulnerabilities:
Affected by 1 other vulnerability.
This version is affected by these other vulnerabilities:
Affected by 1 other vulnerability.
This version is affected by these other vulnerabilities:
|
|
VCID-rtd6-q7tg-ykfh
Aliases: CVE-2020-26227 GHSA-vqqx-jw6p-q3rf |
Cross-Site Scripting in Fluid view helpers > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) > * CWE-79 ### Problem It has been discovered that system extension Fluid (`typo3/cms-fluid`) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. ``` <f:form ... fieldNamePrefix="{payload}" /> <f:be.labels.csh ... label="{payload}" /> <f:be.menus.actionMenu ... label="{payload}" /> ``` ### Solution Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 security team members Helmut Hummel & Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2020-010](https://typo3.org/security/advisory/typo3-core-sa-2020-010) |
Affected by 64 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 122 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 0 other vulnerabilities. Affected by 18 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 30 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-v83x-2hx7-yycg
Aliases: CVE-2021-21339 GHSA-qx3w-4864-94ch |
Cleartext storage of session identifier ### Problem User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. ### Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 core & security team members Benni Mack & Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-006](https://typo3.org/security/advisory/typo3-core-sa-2021-006) |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability.
This version is affected by these other vulnerabilities:
Affected by 3 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 12 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 22 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 23 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2m7w-zfua-u7b9 | TYPO3 Remote Code Execution in third party library swiftmailer TYPO3 uses the package swiftmailer/swiftmailer for mail actions. This package is known to be vulnerable to Remote Code Execution. |
GHSA-g4pf-3jvq-2gcw
|
| VCID-htsn-wq8h-qbgp | Code Injection Remote Code Execution in third party library swiftmailer. |
2017-01-03-1
|