Search for packages
| purl | pkg:composer/typo3/cms@8.7.26 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3wq5-qkuj-c7ce
Aliases: GHSA-hww5-6x85-mc24 |
Typo3 Arbitrary Code Execution and Cross-Site Scripting in Backend API Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings. A valid backend user account having access to modify values for fields pages.TSconfig and pages.tsconfig_includes is needed in order to exploit this vulnerability. |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-56yk-z25r-nuap
Aliases: GHSA-g7hw-jh4p-75wr |
TYPO3 Cross-Site Scripting in Filelist Module It has been discovered that the output table listing in the “Files” backend module is vulnerable to cross-site scripting when a file extension contains malicious sequences. Access to the file system of the server - either directly or through synchronization - is required to exploit the vulnerability. |
Affected by 16 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-7vrs-6mah-2fh9
Aliases: CVE-2021-32668 GHSA-6mh3-j5r5-2379 |
Cross-Site Scripting in Query Generator & Query View > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.5) ### Problem Failing to properly encode error messages, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-010](https://typo3.org/security/advisory/typo3-core-sa-2021-010) |
Affected by 10 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-87g8-zcww-p7bm
Aliases: CVE-2019-12748 GHSA-r6fv-56gp-j3r4 |
Typo3 Cross-Site Scripting in Link Handling TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-8mc9-ye3u-c3aj
Aliases: CVE-2019-19849 GHSA-rcgc-4xfc-564v |
TYPO3 Insecure Deserialization in Query Generator & Query View An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges. |
Affected by 16 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 41 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-aj9w-bguk-9yek
Aliases: 2019-06-25-5 |
Insecure Deserialization in TYPO3 CMS. |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-bgk1-npak-uuhy
Aliases: GHSA-qr5f-6fcv-w69q |
Typo3 Security Misconfiguration in Frontend Session Handling It has been discovered session data of properly authenticated and logged in frontend users is kept and transformed into an anonymous user session during the logout process. This way the next user using the same client application gains access to previous session data. |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-bvjs-f141-sfc7
Aliases: 2019-06-25-1 |
Information Disclosure in Backend User Interface. |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-cxp1-whzb-p7hy
Aliases: GHSA-v8m4-3w37-ghxx |
TYPO3 Cross-Site Scripting in Form Framework validation handling It has been discovered that the output of field validation errors in the Form Framework is vulnerable to cross-site scripting. |
Affected by 16 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-d42j-347n-e7en
Aliases: CVE-2021-21338 GHSA-4jhw-2p6j-5wmp |
Open Redirection in Login Handling ### Problem It has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability. ### Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Alexander Kellner who reported this issue and to TYPO3 security team member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2021-001](https://typo3.org/security/advisory/typo3-core-sa-2021-001) |
Affected by 3 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-ekj9-nhu4-93cc
Aliases: CVE-2021-21370 GHSA-x7hc-x7fm-f7qh |
Cross-Site Scripting in Content Preview (CType menu) ### Problem It has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to TYPO3 contributor Oliver Bartsch who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2021-008](https://typo3.org/security/advisory/typo3-core-sa-2021-008) |
Affected by 3 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-fbhh-atu7-e3da
Aliases: CVE-2021-21355 GHSA-2r6j-862c-m2v2 |
Unrestricted File Upload in Form Framework ### Problem Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. TYPO3 Extbase extensions, which implement a file upload and do not implement a custom _TypeConverter_ to transform uploaded files into _FileReference_ domain model objects are affected by the vulnerability as well, since the _UploadedFileReferenceConverter_ of _ext:form_ handles the file upload and will accept files of any mime-type which are persisted to the default location. In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. Type converter _UploadedFileReferenceConverter_ is not registered globally anymore and just handles uploaded files within the scope of the Form Framework. Guessable storage location has changed from _/fileadmin/user_upload/form\_\<random-hash\>/_ to _/fileadmin/form_uploads/<random-40-bit>_. Allowed mime-types must match expected file extensions (e.g. _application/pdf_ must be _.pdf_, and cannot be _.html_). Extbase extensions, who rely on the global availability of the _UploadedFileReferenceConverter_ must now implement a custom _TypeConverter_ to handle file uploads or explicitly implement the ext:form _UploadedFileReferenceConverter_ with appropriate setting for accepted mime-types. ### Credits Thanks to Sebastian Michaelsen, Marc Lindemann, Oliver Eglseder, Markus Volkmer, Jakob Kunzmann, Johannes Regner, Richie Lee who reported this issue, and to TYPO3 core & security team members Oliver Hader & Benni Mack, as well as TYPO3 contributor Ralf Zimmermann who fixed the issue. ### References * [TYPO3-CORE-SA-2021-002](https://typo3.org/security/advisory/typo3-core-sa-2021-002) |
Affected by 3 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-hg6g-kn76-bfbh
Aliases: CVE-2019-19848 GHSA-77p4-wfr8-977w |
TYPO3 Directory Traversal on ZIP extraction An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.) |
Affected by 16 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-kh9n-kuvd-pbat
Aliases: CVE-2022-23501 GHSA-jfp7-79g7-89rf |
TYPO3 CMS vulnerable to Weak Authentication in Frontend Login ### Problem Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-013](https://typo3.org/security/advisory/typo3-core-sa-2022-013) |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-ks2k-ehk8-nqbm
Aliases: CVE-2021-32669 GHSA-rgcg-28xm-8mmw |
Cross-Site Scripting in Backend Grid View ### Problem Failing to properly encode settings for _backend layouts_, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue. |
Affected by 10 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-q2ch-qd6x-vqeu
Aliases: CVE-2022-31047 GHSA-fh99-4pgr-8j99 |
Insertion of Sensitive Information into Log File in typo3/cms-core > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace. ### Solution Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Marco Huber who reported this issue and to TYPO3 security member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2022-002](https://typo3.org/security/advisory/typo3-core-sa-2022-002) |
Affected by 12 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-rk6h-431z-ubbk
Aliases: CVE-2019-19850 GHSA-59pj-7mjh-4465 |
TYPO3 SQL Injection in low-level Query Generator An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges. |
Affected by 16 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-rmnv-emnu-6bfy
Aliases: CVE-2021-32767 GHSA-34fr-fhqr-7235 |
Information Disclosure in User Authentication > ### Meta > * CVSS: `AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the _default_ configuration. ### Solution Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Ingo Schmitt who reported this issue, and to TYPO3 core & security team member Benni Mack who fixed the issue. ### References * [TYPO3-CORE-SA-2021-012](https://typo3.org/security/advisory/typo3-core-sa-2021-012) |
Affected by 10 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-rtd6-q7tg-ykfh
Aliases: CVE-2020-26227 GHSA-vqqx-jw6p-q3rf |
Cross-Site Scripting in Fluid view helpers > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) > * CWE-79 ### Problem It has been discovered that system extension Fluid (`typo3/cms-fluid`) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. ``` <f:form ... fieldNamePrefix="{payload}" /> <f:be.labels.csh ... label="{payload}" /> <f:be.menus.actionMenu ... label="{payload}" /> ``` ### Solution Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 security team members Helmut Hummel & Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2020-010](https://typo3.org/security/advisory/typo3-core-sa-2020-010) |
Affected by 0 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-snd3-qpkk-8bb5
Aliases: GHSA-q9c4-9v5m-597p |
Typo3 Information Disclosure in Backend User Interface The element information component used to display properties of a certain record is susceptible to information disclosure. The list of references from or to the record is not properly checked for the backend user’s permissions. A valid backend user account is needed in order to exploit this vulnerability. |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-swwb-fm9u-tucv
Aliases: CVE-2023-24814 GHSA-r4f8-f93x-5qh3 |
TYPO3 is vulnerable to Cross-Site Scripting via frontend rendering > ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C` (8.2) ### Problem TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting [`config.absRefPrefix=auto`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549), attackers can inject malicious HTML code into pages that have not yet been rendered and cached. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of [`GeneralUtility::getIndpEnv('SCRIPT_NAME')`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484) and corresponding usages (as shown below) are vulnerable as well. - `GeneralUtility::getIndpEnv('PATH_INFO') ` - `GeneralUtility::getIndpEnv('SCRIPT_NAME') ` - `GeneralUtility::getIndpEnv('TYPO3_REQUEST_DIR')` - `GeneralUtility::getIndpEnv('TYPO3_REQUEST_SCRIPT')` - `GeneralUtility::getIndpEnv('TYPO3_SITE_PATH')` - `GeneralUtility::getIndpEnv('TYPO3_SITE_SCRIPT')` - `GeneralUtility::getIndpEnv('TYPO3_SITE_URL')` Installations of TYPO3 versions 8.7 and 9.x are probably only affected when server environment variable [`TYPO3_PATH_ROOT`](https://docs.typo3.org/m/typo3/reference-coreapi/9.5/en-us/ApiOverview/Environment/Index.html#configuring-environment-paths) is defined - which is the case if they were installed via Composer. Additional investigations confirmed that Apache and Microsoft IIS web servers using PHP-CGI (FPM, FCGI/FastCGI, or similar) are affected. There might be the risk that nginx is vulnerable as well. It was not possible to exploit Apache/mod_php scenarios. ### Solution The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.36 LTS, 11.5.23 LTS and 12.2.0 that fix the problem described above. > ℹ️ **Strong security defaults - Manual actions required** > Any web server using PHP-CGI (FPM, FCGI/FastCGI, or similar) needs to ensure that the PHP setting [**`cgi.fix_pathinfo=1`**](https://www.php.net/manual/en/ini.core.php#ini.cgi.fix-pathinfo) is used, which is the default PHP setting. In case this setting is not enabled, an exception is thrown to avoid continuing with invalid path information. For websites that cannot be patched timely the TypoScript setting [`config.absRefPrefix`](https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix) at least should be set to a static path value, instead of using `auto` - e.g. `config.absRefPrefix=/` - this **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation. ### References * [TYPO3-CORE-SA-2023-001](https://typo3.org/security/advisory/typo3-core-sa-2023-001) * [TYPO3-CORE-PSA-2023-001](https://typo3.org/security/advisory/typo3-psa-2023-001) *pre-announcement* |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-t7b2-114h-ekaw
Aliases: 2019-06-25-2 |
Cross-site Scripting Cross-Site Scripting in Link Handling. |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-tbp9-2rg8-u7bk
Aliases: 2019-06-25-4 |
Code Injection Arbitrary Code Execution and Cross-Site Scripting in Backend API. |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-thjz-e86b-n3a7
Aliases: CVE-2019-12747 GHSA-86hp-xrhj-fhpq |
Typo3 Vulnerable to Insecure Deserialization TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-tvq8-qbwc-qkfs
Aliases: CVE-2021-32768 GHSA-c5c9-8c6m-727v |
Cross-Site Scripting via Rich-Text Content > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC` (5.7) ### Problem Failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality _[HTMLparser](https://docs.typo3.org/m/typo3/reference-typoscript/10.4/en-us/Functions/Htmlparser.html)_ do not consider all potentially malicious HTML tag & attribute combinations per default. In addition, the lack of comprehensive default node configuration for rich-text fields in the backend user interface fosters this malfunction. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. ### Solution Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described above. Custom package _[typo3/html-sanitizer](https://github.com/TYPO3/html-sanitizer)_ - based on allow-lists only - takes care of sanitizing potentially malicious markup. The default behavior is based on safe and commonly used markup - however, this can be extended or restricted further in case it is necessary for individual scenarios. During the frontend rendering process, sanitization is applied to the default TypoScript path `lib.parseFunc`, which is implicitly used by the Fluid view-helper instruction `f:format.html`. Rich-text data persisted using the backend user interface is sanitized as well. Implementation details are explained in corresponding [ChangeLog documentation](https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.html). ### Credits Thanks to Benjamin Stiber, Gert-Jan Jansma, Gábor Ács-Kurucz, Alexander Kellner, Richie Lee, Nina Rösch who reported this issue, and to TYPO3 security team member Oliver Hader, as well as TYPO3 contributor Susanne Moog who fixed the issue. ### References * [TYPO3-CORE-SA-2021-013](https://typo3.org/security/advisory/typo3-core-sa-2021-013) |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-tvtv-cfzc-z3d5
Aliases: GHSA-xgmx-j3hv-jh9x |
TYPO3 Cross-Site Scripting in Link Handling It has been discovered that `t3://` URL handling and typolink functionality are vulnerable to cross-site scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering with typolink. |
Affected by 16 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-u3es-5tz4-ybfc
Aliases: 2019-06-25-3 |
Security Misconfiguration in Frontend Session Handling. |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-u8we-bkyu-83b8
Aliases: CVE-2022-23503 GHSA-c5wx-6c2c-f7rm |
TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework ### Problem Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item (known as [`formDefinitionOverrides`](https://docs.typo3.org/c/typo3/cms-form/main/en-us/I/Concepts/FrontendRendering/Index.html#form-element-properties)) and a valid backend user account with access to the form module are needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-015](https://typo3.org/security/advisory/typo3-core-sa-2022-015) |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-v83x-2hx7-yycg
Aliases: CVE-2021-21339 GHSA-qx3w-4864-94ch |
Cleartext storage of session identifier ### Problem User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. ### Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 core & security team members Benni Mack & Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-006](https://typo3.org/security/advisory/typo3-core-sa-2021-006) |
Affected by 3 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-w2hv-ftte-fyd1
Aliases: CVE-2022-36107 GHSA-9c6w-55cp-5w25 |
TYPO3 CMS Stored Cross-Site Scripting via FileDumpController > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.0) ### Problem It has been discovered that the `FileDumpController` (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to Vautia who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-009](https://typo3.org/security/advisory/typo3-core-sa-2022-009) * [Vulnerability Report on huntr.dev](https://huntr.dev/bounties/51e9b709-193c-41fd-bd4a-833aaca0bd4e/) (embargoed +30 days) |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-whf8-jc59-uub6
Aliases: CVE-2021-21357 GHSA-3vg7-jw9m-pc3f |
Broken Access Control in Form Framework ### Problem Due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 contributor Ralf Zimmermann who fixed the issue. ### References * [TYPO3-CORE-SA-2021-003](https://typo3.org/security/advisory/typo3-core-sa-2021-003) |
Affected by 3 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-xww9-ktn9-e3ga
Aliases: CVE-2022-36105 GHSA-m392-235j-9r7r |
TYPO3 CMS vulnerable to User Enumeration via Response Timing > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new `MimicServiceInterface::mimicAuthUser`, which simulates corresponding times regular processing would usually take. ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to Vautia who reported this issue and to TYPO3 core & security team members Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-007](https://typo3.org/security/advisory/typo3-core-sa-2022-007) * [Vulnerability Report on huntr.dev](https://huntr.dev/bounties/7d519735-2877-4fad-bd77-accde3e290a7/) (embargoed +30 days) |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-zhvr-3e6u-2uc6
Aliases: GHSA-hh95-5xm5-v8v7 |
TYPO3 CMS Possible Insecure Deserialization in Extbase Request Handling It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized. However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized. Requirements for successfully exploiting this vulnerability (all of the following): - rendering at least one Extbase plugin in the frontend - encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file) |
Affected by 16 other vulnerabilities. Affected by 27 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-dybf-xk32-pkdg | Cross-Site Scripting in ternary conditional operator > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C`(5.0) > * CWE-79 --- :information_source: This vulnerability has been fixed in May 2019 already, CVE and GHSA were assigned later in October 2020 --- ### Problem It has been discovered that the Fluid Engine (package `typo3fluid/fluid`) is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like the following. ``` {showFullName ? fullName : defaultValue} ``` ### Solution Update to versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 of this `typo3fluid/fluid` package that fix the problem described. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) releases: * TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.5) * TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1) ### Credits Thanks to Bill Dagou who reported this issue and to TYPO3 core merger Claus Due who fixed the issue. ### References * [TYPO3-CORE-SA-2019-013](https://typo3.org/security/advisory/typo3-core-sa-2019-013) |
CVE-2020-15241
GHSA-7733-hjv6-4h47 |