Search for packages
Package details: pkg:composer/typo3/cms-core@8.5.0
purl pkg:composer/typo3/cms-core@8.5.0
Tags Ghost
Next non-vulnerable version 8.7.17
Latest non-vulnerable version 13.4.3
Risk 4.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-2734-1z2d-9ydz
Aliases:
GHSA-45wj-jv2h-jwrf
TYPO3 CMS Privilege Escalation and SQL Injection Failing to properly dissociate system related configuration from user generated configuration, the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be modified - this applies to definitions managed using the form editor module as well as direct file upload using the regular file list module. A valid backend user account as well as having system extension form activated are needed in order to exploit this vulnerability.
8.7.17
Affected by 0 other vulnerabilities.
9.3.2
Affected by 0 other vulnerabilities.
VCID-59c6-ews9-cbaf
Aliases:
2018-07-12-3
Privilege Escalation & SQL Injection in TYPO3 CMS.
8.7.17
Affected by 0 other vulnerabilities.
9.3.2
Affected by 0 other vulnerabilities.
VCID-fdsz-4q4m-eqgq
Aliases:
GHSA-4459-qrcc-vfcf
TYPO3 Cross-Site Scripting in Form Framework Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.
8.7.23
Affected by 0 other vulnerabilities.
9.5.4
Affected by 0 other vulnerabilities.
VCID-jzqt-aujy-n3gw
Aliases:
2018-07-12-4
Insecure Deserialization in TYPO3 CMS.
8.7.17
Affected by 0 other vulnerabilities.
9.3.2
Affected by 0 other vulnerabilities.
VCID-the9-7p23-q7ac
Aliases:
GHSA-96jg-pmc4-cx39
TYPO3 CMS Insecure Deserialization It has been discovered that the Form Framework (system extension `form`) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package `yaml`, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting `yaml.decode_php` enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).
8.7.17
Affected by 0 other vulnerabilities.
9.3.1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-03T13:56:49.024139+00:00 GitLab Importer Affected by VCID-the9-7p23-q7ac https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-96jg-pmc4-cx39.yml 36.1.3
2025-07-03T13:56:48.886861+00:00 GitLab Importer Affected by VCID-fdsz-4q4m-eqgq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-4459-qrcc-vfcf.yml 36.1.3
2025-07-03T13:56:48.475063+00:00 GitLab Importer Affected by VCID-2734-1z2d-9ydz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-45wj-jv2h-jwrf.yml 36.1.3
2025-07-01T18:11:01.622584+00:00 GitLab Importer Affected by VCID-59c6-ews9-cbaf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-3.yml 36.1.3
2025-07-01T18:11:01.411922+00:00 GitLab Importer Affected by VCID-jzqt-aujy-n3gw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-4.yml 36.1.3
2025-07-01T14:35:02.205516+00:00 GHSA Importer Affected by VCID-fdsz-4q4m-eqgq https://github.com/advisories/GHSA-4459-qrcc-vfcf 36.1.3
2025-07-01T14:35:01.712786+00:00 GHSA Importer Affected by VCID-the9-7p23-q7ac https://github.com/advisories/GHSA-96jg-pmc4-cx39 36.1.3
2025-07-01T14:35:01.634521+00:00 GHSA Importer Affected by VCID-2734-1z2d-9ydz https://github.com/advisories/GHSA-45wj-jv2h-jwrf 36.1.3