VulnerableCode Package Details - pkg:composer/typo3/cms-backend@11.1.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-bccy-q51m-b3gy Aliases: CVE-2024-34537 GHSA-ffcv-v6pw-qhrp	Denial of Service in TYPO3 Bookmark Toolbar ### Problem Due to insufficient input validation, manipulated data saved in the bookmark toolbar of the backend user interface causes a general error state, blocking further access to the interface. Exploiting this vulnerability requires an administrator-level backend user account. ### Solution Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. ### Credits Thanks to Hendrik Eichner who reported this issue and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-011](https://typo3.org/security/advisory/typo3-core-sa-2024-001)	11.5.40 Affected by 0 other vulnerabilities. 12.4.21 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 13.3.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-nqe1-b3zv-pufk Aliases: CVE-2024-47780 GHSA-rf5m-h8q9-9w6q	Information Disclosure in TYPO3 Page Tree ### Problem Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody." However, affected users could not manipulate these pages. ### Solution Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. ### Credits Thanks to Peter Schuler who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.	11.5.40 Affected by 0 other vulnerabilities. 12.4.21 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 13.3.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-bccy-q51m-b3gy
Aliases:
CVE-2024-34537
GHSA-ffcv-v6pw-qhrp

Denial of Service in TYPO3 Bookmark Toolbar ### Problem Due to insufficient input validation, manipulated data saved in the bookmark toolbar of the backend user interface causes a general error state, blocking further access to the interface. Exploiting this vulnerability requires an administrator-level backend user account. ### Solution Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. ### Credits Thanks to Hendrik Eichner who reported this issue and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-011](https://typo3.org/security/advisory/typo3-core-sa-2024-001)

11.5.40
Affected by 0 other vulnerabilities.

12.4.21
Affected by 1 other vulnerability.

13.3.1
Affected by 1 other vulnerability.

VCID-nqe1-b3zv-pufk
Aliases:
CVE-2024-47780
GHSA-rf5m-h8q9-9w6q

Information Disclosure in TYPO3 Page Tree ### Problem Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody." However, affected users could not manipulate these pages. ### Solution Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. ### Credits Thanks to Peter Schuler who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.

11.5.40
Affected by 0 other vulnerabilities.

12.4.21
Affected by 1 other vulnerability.

13.3.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-efax-e17q-jud4	Cross-Site Scripting in Content Preview ### Problem It has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue. ### References * [TYPO3-CORE-SA-2021-007](https://typo3.org/security/advisory/typo3-core-sa-2021-007)	CVE-2021-21340 GHSA-fjh3-g8gq-9q92
VCID-ekj9-nhu4-93cc	Cross-Site Scripting in Content Preview (CType menu) ### Problem It has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to TYPO3 contributor Oliver Bartsch who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2021-008](https://typo3.org/security/advisory/typo3-core-sa-2021-008)	CVE-2021-21370 GHSA-x7hc-x7fm-f7qh

Vulnerability

Summary

Aliases

VCID-efax-e17q-jud4

Cross-Site Scripting in Content Preview ### Problem It has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue. ### References * [TYPO3-CORE-SA-2021-007](https://typo3.org/security/advisory/typo3-core-sa-2021-007)

CVE-2021-21340
GHSA-fjh3-g8gq-9q92

VCID-ekj9-nhu4-93cc

Cross-Site Scripting in Content Preview (CType menu) ### Problem It has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to TYPO3 contributor Oliver Bartsch who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2021-008](https://typo3.org/security/advisory/typo3-core-sa-2021-008)

CVE-2021-21370
GHSA-x7hc-x7fm-f7qh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T19:13:04.167110+00:00	GitLab Importer	Affected by	VCID-bccy-q51m-b3gy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2024-34537.yml	37.0.0
2025-07-03T19:13:03.335252+00:00	GitLab Importer	Affected by	VCID-nqe1-b3zv-pufk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2024-47780.yml	37.0.0
2025-07-03T17:56:57.802952+00:00	GitLab Importer	Fixing	VCID-ekj9-nhu4-93cc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2021-21370.yml	37.0.0
2025-07-03T17:56:54.479269+00:00	GitLab Importer	Fixing	VCID-efax-e17q-jud4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2021-21340.yml	37.0.0
2025-07-03T16:51:18.685191+00:00	GHSA Importer	Fixing	VCID-ekj9-nhu4-93cc	https://github.com/advisories/GHSA-x7hc-x7fm-f7qh	37.0.0
2025-07-03T16:51:17.961613+00:00	GHSA Importer	Fixing	VCID-efax-e17q-jud4	https://github.com/advisories/GHSA-fjh3-g8gq-9q92	37.0.0
2025-07-03T13:56:07.315384+00:00	GitLab Importer	Fixing	VCID-ekj9-nhu4-93cc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2021-21370.yml	36.1.3
2025-07-03T13:56:07.010984+00:00	GitLab Importer	Fixing	VCID-efax-e17q-jud4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2021-21340.yml	36.1.3
2025-07-01T12:19:12.519021+00:00	GithubOSV Importer	Fixing	VCID-ekj9-nhu4-93cc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-x7hc-x7fm-f7qh/GHSA-x7hc-x7fm-f7qh.json	36.1.3
2025-07-01T12:19:04.640015+00:00	GithubOSV Importer	Fixing	VCID-efax-e17q-jud4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-fjh3-g8gq-9q92/GHSA-fjh3-g8gq-9q92.json	36.1.3