Search for packages
| purl | pkg:composer/typo3/cms@8.2.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1d1x-7vx6-zbfw
Aliases: CVE-2017-14251 GHSA-fh4q-hxrw-cjqq |
TYPO3 Arbitrary Code Execution Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3c1n-du49-6bes |
CVE-2016-5385
GHSA-m6ch-gg5f-wxx3 |
|
| VCID-6bne-vnc6-wfe9 | Cross-site Scripting Cross-Site Scripting vulnerability in typolinks. |
2016-07-19-5
|
| VCID-8a25-9af4-tyhk | Insecure Unserialize in TYPO3 Import/Export Failing to properly validate incoming import data, the Import/Export component is susceptible to insecure unserialize. To exploit this vulnerability a valid backend user account is needed. |
GHSA-xvcp-33rc-j8gq
|
| VCID-axg7-qg5u-kbg7 | Cross-Site Scripting in TYPO3 Backend Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability. |
GHSA-86r8-4g3w-7xjp
|
| VCID-cdkv-3rbf-27ed | Information Disclosure in TYPO3 Backend. |
2016-07-19-4
|
| VCID-d2qd-qjn9-jffs | Cross-site Scripting Cross-Site Scripting in TYPO3 Backend. |
2016-07-19-1
|
| VCID-d381-rcq3-n3az | Information Disclosure in TYPO3 Backend The TYPO3 backend module stores the username of an authenticated backend user in its cache files. By guessing the file path to the cache files it is possible to receive valid backend usernames. |
GHSA-vpr3-rc99-2wpr
|
| VCID-dc9k-gxr2-6bah | Cross-site Scripting Cross-Site Scripting in third party library `mso/idna-convert`. |
2016-07-19-7
|
| VCID-dm6k-fzm6-sqbe | Cross-Site Scripting (XSS) vulnerability in typolinks All link fields within the TYPO3 installation are vulnerable to Cross-Site Scripting as authorized editors can insert data commands by using the url scheme "data:". |
GHSA-p5c5-gmj4-g48f
|
| VCID-psu6-y6fc-nqh4 | Deserialization of Untrusted Data Insecure Unserialize in TYPO3 Import/Export. |
2016-07-19-2
|
| VCID-tdsj-15xc-x3ar | Cross-Site Scripting in third party library mso/idna-convert Make sure to not expose the vendor directory to the publicly accessible document root. In composer managed installation, make sure to configure a dedicated web folder. In general it is recommended to not expose the complete typo3_src sources folder in the document root. |
GHSA-qmwf-j7g7-f5jw
|
| VCID-ungm-t9nm-hyf8 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Environment Variable Injection. |
2016-07-19-6
|