Search for packages
Package details: pkg:composer/typo3/cms-core@8.7.12
purl pkg:composer/typo3/cms-core@8.7.12
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk
Vulnerabilities affecting this package (81)
Vulnerability Summary Fixed by
VCID-14ku-tr5n-17gv
Aliases:
CVE-2023-47127
GHSA-3vmm-7h4j-69rm
TYPO3 vulnerable to Weak Authentication in Session Handling > ### CVSS: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:X/RL:O/RC:C` (4.0) ### Problem Given that there are at least two different sites in the same TYPO3 installation - for instance _first.example.org_ and _second.example.com_ - then a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability primarily affects the frontend of the website. It's important to note that exploiting this vulnerability requires a valid user account. ### Solution Update to TYPO3 versions 8.7.55 ELTS, 9.5.44 ELTS, 10.4.41 ELTS, 11.5.33, 12.4.8 that fix the problem described above. ### Credits Thanks to Rémy Daniel who reported this issue, and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2023-006](https://typo3.org/security/advisory/typo3-core-sa-2023-006)
8.7.55
Affected by 0 other vulnerabilities.
9.5.44
Affected by 0 other vulnerabilities.
10.4.41
Affected by 0 other vulnerabilities.
11.5.33
Affected by 13 other vulnerabilities.
12.4.8
Affected by 13 other vulnerabilities.
VCID-17h4-rww9-93ad
Aliases:
2019-01-22-3
Improper Access Control Broken Access Control in Localization Handling.
8.7.23
Affected by 43 other vulnerabilities.
9.0.0
Affected by 112 other vulnerabilities.
VCID-1txn-xjt1-37ha
Aliases:
2018-12-11-3
Cross-site Scripting Cross-Site Scripting in Frontend User Login.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-1xu4-29uk-z3f8
Aliases:
GHSA-x4rj-f7m6-42c3
TYPO3 CMS Authentication Bypass vulnerability It has been discovered that TYPO3’s Salted Password system extension (which is a mandatory system component) is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance. In standard TYPO3 core distributions stored passwords using the blowfish hashing algorithm can be overridden when using MD5 as the default hashing algorithm by just knowing a valid username. Per default the Portable PHP hashing algorithm (PHPass) is used which is not vulnerable.
8.7.17
Affected by 73 other vulnerabilities.
9.3.2
Affected by 98 other vulnerabilities.
VCID-2734-1z2d-9ydz
Aliases:
GHSA-45wj-jv2h-jwrf
TYPO3 CMS Privilege Escalation and SQL Injection Failing to properly dissociate system related configuration from user generated configuration, the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be modified - this applies to definitions managed using the form editor module as well as direct file upload using the regular file list module. A valid backend user account as well as having system extension form activated are needed in order to exploit this vulnerability.
8.7.17
Affected by 73 other vulnerabilities.
9.3.2
Affected by 98 other vulnerabilities.
VCID-3j7t-8pse-yyc3
Aliases:
GHSA-ppvg-hw62-6ph9
TYPO3 Security Misconfiguration in Install Tool Cookie It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-4381-nt69-cyhx
Aliases:
GHSA-95qm-3xp7-vfj5
TYPO3 Cross-Site Scripting in Form Framework validation handling It has been discovered that the output of field validation errors in the Form Framework is vulnerable to cross-site scripting.
8.7.30
Affected by 22 other vulnerabilities.
9.5.12
Affected by 43 other vulnerabilities.
10.2.1
Affected by 52 other vulnerabilities.
VCID-53bg-1gfq-7bap
Aliases:
2018-12-11-2
Cross-site Scripting Cross-Site Scripting in Backend Modal Component.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-59c6-ews9-cbaf
Aliases:
2018-07-12-3
Privilege Escalation & SQL Injection in TYPO3 CMS.
8.7.17
Affected by 73 other vulnerabilities.
9.3.2
Affected by 98 other vulnerabilities.
VCID-7rsj-1mbz-2bc9
Aliases:
GHSA-8c25-vj2w-p72j
TYPO3 Cross-Site Scripting in Frontend User Login Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile. Template patterns that are affected are - ###FEUSER_[fieldName]### using system extension felogin - <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken)
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-7vrs-6mah-2fh9
Aliases:
CVE-2021-32668
GHSA-6mh3-j5r5-2379
Cross-Site Scripting in Query Generator & Query View > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.5) ### Problem Failing to properly encode error messages, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-010](https://typo3.org/security/advisory/typo3-core-sa-2021-010)
8.7.41
Affected by 1 other vulnerability.
9.5.28
Affected by 26 other vulnerabilities.
10.4.18
Affected by 28 other vulnerabilities.
11.3.1
Affected by 30 other vulnerabilities.
VCID-7w5e-uefx-c7cg
Aliases:
GHSA-22q7-cg4r-p9mx
TYPO3 Cross-Site Scripting in Fluid ViewHelpers Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-7yn7-f2cw-ukfj
Aliases:
2018-12-11-6
Uncontrolled Resource Consumption Denial of Service in Online Media Asset Handling.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-7zyp-yza7-2udn
Aliases:
2019-05-07-2
Security Misconfiguration in User Session Handling.
8.7.25
Affected by 40 other vulnerabilities.
9.5.6
Affected by 64 other vulnerabilities.
VCID-87g8-zcww-p7bm
Aliases:
CVE-2019-12748
GHSA-r6fv-56gp-j3r4
Typo3 Cross-Site Scripting in Link Handling TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.
8.7.27
Affected by 29 other vulnerabilities.
9.5.8
Affected by 49 other vulnerabilities.
VCID-89e7-n8qr-mkc1
Aliases:
CVE-2024-22188
GHSA-5w2h-59j3-8x5w
TYPO3 Install Tool vulnerable to Code Execution ### Problem Several settings in the Install Tool for configuring the path to system binaries were vulnerable to code execution. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. The corresponding change for this advisory involves enforcing the known disadvantages described in [TYPO3-PSA-2020-002: Protecting Install Tool with Sudo Mode](https://typo3.org/security/advisory/typo3-psa-2020-002). ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to Rickmer Frier & Daniel Jonka who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-002](https://typo3.org/security/advisory/typo3-core-sa-2024-002)
8.7.57
Affected by 0 other vulnerabilities.
9.5.46
Affected by 0 other vulnerabilities.
10.4.43
Affected by 0 other vulnerabilities.
11.5.35
Affected by 8 other vulnerabilities.
12.4.11
Affected by 8 other vulnerabilities.
13.0.1
Affected by 9 other vulnerabilities.
VCID-8mc9-ye3u-c3aj
Aliases:
CVE-2019-19849
GHSA-rcgc-4xfc-564v
TYPO3 Insecure Deserialization in Query Generator & Query View An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges.
8.7.30
Affected by 22 other vulnerabilities.
9.5.12
Affected by 43 other vulnerabilities.
10.2.1
Affected by 52 other vulnerabilities.
VCID-8re4-c6j8-hyfh
Aliases:
2018-12-11-7
Uncontrolled Resource Consumption Denial of Service in Frontend Record Registration.
8.7.21
Affected by 56 other vulnerabilities.
9.0.0
Affected by 112 other vulnerabilities.
VCID-8rqv-y2gn-6yd1
Aliases:
GHSA-p2h4-7fp3-cmh8
TYPO3 Disclosure of Information about Installed Extensions It has been discovered that mechanisms used for configuration of RequireJS package loading are susceptible to information disclosure. This way a potential attack can retrieve additional information about installed system and third party extensions.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-8u66-mv4d-zbd4
Aliases:
2019-01-22-6
Cross-site Scripting Cross-Site Scripting in Form Framework.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-969f-fsfs-23e1
Aliases:
GHSA-6xwf-7rfm-4gwc
TYPO3 Cross-Site Scripting in Filelist Module It has been discovered that the output table listing in the “Files” backend module is vulnerable to cross-site scripting when a file extension contains malicious sequences. Access to the file system of the server - either directly or through synchronization - is required to exploit the vulnerability.
8.7.30
Affected by 22 other vulnerabilities.
9.5.12
Affected by 43 other vulnerabilities.
10.2.1
Affected by 52 other vulnerabilities.
VCID-a9kp-9ews-e3b1
Aliases:
GHSA-82vp-jr39-4j2j
TYPO3 Security Misconfiguration in Frontend Session Handling It has been discovered session data of properly authenticated and logged in frontend users is kept and transformed into an anonymous user session during the logout process. This way the next user using the same client application gains access to previous session data.
8.7.27
Affected by 29 other vulnerabilities.
9.5.8
Affected by 49 other vulnerabilities.
VCID-aj9w-bguk-9yek
Aliases:
2019-06-25-5
Insecure Deserialization in TYPO3 CMS.
8.7.27
Affected by 29 other vulnerabilities.
9.5.8
Affected by 49 other vulnerabilities.
VCID-bvjs-f141-sfc7
Aliases:
2019-06-25-1
Information Disclosure in Backend User Interface.
8.7.27
Affected by 29 other vulnerabilities.
9.5.8
Affected by 49 other vulnerabilities.
VCID-cpa8-x668-5qgb
Aliases:
GHSA-x428-565f-8xj2
TYPO3 Arbitrary Code Execution and Cross-Site Scripting in Backend API Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings. A valid backend user account having access to modify values for fields `pages.TSconfig` and `pages.tsconfig_includes` is needed in order to exploit this vulnerability.
8.7.27
Affected by 29 other vulnerabilities.
9.5.8
Affected by 49 other vulnerabilities.
VCID-cvpr-b5np-6bcv
Aliases:
2018-07-12-1
Improper Authentication Authentication Bypass in TYPO3 CMS.
8.7.17
Affected by 73 other vulnerabilities.
9.3.2
Affected by 98 other vulnerabilities.
VCID-d42j-347n-e7en
Aliases:
CVE-2021-21338
GHSA-4jhw-2p6j-5wmp
Open Redirection in Login Handling ### Problem It has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability. ### Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Alexander Kellner who reported this issue and to TYPO3 security team member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2021-001](https://typo3.org/security/advisory/typo3-core-sa-2021-001)
8.7.40
Affected by 3 other vulnerabilities.
9.5.25
Affected by 28 other vulnerabilities.
10.4.14
Affected by 32 other vulnerabilities.
11.1.1
Affected by 33 other vulnerabilities.
VCID-dfng-qmn8-jyc5
Aliases:
2019-01-22-2
Security Misconfiguration for Backend User Accounts.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-dhn4-gz4x-2qcn
Aliases:
GHSA-9rx9-7fmh-gj3g
TYPO3 Broken Access Control in Localization Handling It has been discovered that backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.
8.7.23
Affected by 43 other vulnerabilities.
VCID-dkmy-bwds-s7f4
Aliases:
2019-05-07-1
Cross-site Scripting Cross-Site Scripting in Fluid Engine.
8.7.25
Affected by 40 other vulnerabilities.
9.5.6
Affected by 64 other vulnerabilities.
VCID-e3gy-22s1-huhc
Aliases:
2019-01-22-1
Information Disclosure of Installed Extensions.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-ekj9-nhu4-93cc
Aliases:
CVE-2021-21370
GHSA-x7hc-x7fm-f7qh
Cross-Site Scripting in Content Preview (CType menu) ### Problem It has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to TYPO3 contributor Oliver Bartsch who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2021-008](https://typo3.org/security/advisory/typo3-core-sa-2021-008)
8.7.40
Affected by 3 other vulnerabilities.
9.5.25
Affected by 28 other vulnerabilities.
10.4.14
Affected by 32 other vulnerabilities.
11.1.1
Affected by 33 other vulnerabilities.
VCID-evyj-ctem-nffy
Aliases:
CVE-2024-25119
GHSA-h47m-3f78-qp9g
TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key ### Problem The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-004](https://typo3.org/security/advisory/typo3-core-sa-2024-004)
8.7.57
Affected by 0 other vulnerabilities.
9.5.46
Affected by 0 other vulnerabilities.
10.4.43
Affected by 0 other vulnerabilities.
11.5.35
Affected by 8 other vulnerabilities.
12.4.11
Affected by 8 other vulnerabilities.
13.0.1
Affected by 9 other vulnerabilities.
VCID-fbhh-atu7-e3da
Aliases:
CVE-2021-21355
GHSA-2r6j-862c-m2v2
Unrestricted File Upload in Form Framework ### Problem Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. TYPO3 Extbase extensions, which implement a file upload and do not implement a custom _TypeConverter_ to transform uploaded files into _FileReference_ domain model objects are affected by the vulnerability as well, since the _UploadedFileReferenceConverter_ of _ext:form_ handles the file upload and will accept files of any mime-type which are persisted to the default location. In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. Type converter _UploadedFileReferenceConverter_ is not registered globally anymore and just handles uploaded files within the scope of the Form Framework. Guessable storage location has changed from _/fileadmin/user_upload/form\_\<random-hash\>/_ to _/fileadmin/form_uploads/<random-40-bit>_. Allowed mime-types must match expected file extensions (e.g. _application/pdf_ must be _.pdf_, and cannot be _.html_). Extbase extensions, who rely on the global availability of the _UploadedFileReferenceConverter_ must now implement a custom _TypeConverter_ to handle file uploads or explicitly implement the ext:form _UploadedFileReferenceConverter_ with appropriate setting for accepted mime-types. ### Credits Thanks to Sebastian Michaelsen, Marc Lindemann, Oliver Eglseder, Markus Volkmer, Jakob Kunzmann, Johannes Regner, Richie Lee who reported this issue, and to TYPO3 core & security team members Oliver Hader & Benni Mack, as well as TYPO3 contributor Ralf Zimmermann who fixed the issue. ### References * [TYPO3-CORE-SA-2021-002](https://typo3.org/security/advisory/typo3-core-sa-2021-002)
8.7.40
Affected by 3 other vulnerabilities.
9.5.25
Affected by 28 other vulnerabilities.
10.4.14
Affected by 32 other vulnerabilities.
11.1.1
Affected by 33 other vulnerabilities.
VCID-fbxf-4gpp-4ff9
Aliases:
CVE-2022-31048
GHSA-3r95-23jp-mhvg
Cross-Site Scripting in TYPO3's Form Framework > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Gabe Troyan who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2022-003](https://typo3.org/security/advisory/typo3-core-sa-2022-003)
8.7.47
Affected by 1 other vulnerability.
9.5.35
Affected by 0 other vulnerabilities.
10.4.29
Affected by 22 other vulnerabilities.
11.5.11
Affected by 23 other vulnerabilities.
VCID-fdsz-4q4m-eqgq
Aliases:
GHSA-4459-qrcc-vfcf
TYPO3 Cross-Site Scripting in Form Framework Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-fj4s-fcy4-2fcj
Aliases:
2018-12-11-1
Cross-site Scripting Cross-Site Scripting in Online Media Asset Rendering.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-gep7-wp2h-nugr
Aliases:
GHSA-hjx5-v9xg-7h25
TYPO3 Denial of Service in Frontend Record Registration TYPO3’s built-in record registration functionality (aka “basic shopping cart”) using recs URL parameters is vulnerable to denial of service. Failing to properly ensure that anonymous user sessions are valid, attackers can use this vulnerability in order to create an arbitrary amount of individual session-data records in the database.
8.7.21
Affected by 56 other vulnerabilities.
VCID-gqbq-47a9-7ygk
Aliases:
GHSA-5h5v-m596-r6rf
TYPO3 Possible Insecure Deserialization in Extbase Request Handling It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized. However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized. Requirements for successfully exploiting this vulnerability (all of the following): - rendering at least one Extbase plugin in the frontend - encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file)
8.7.30
Affected by 22 other vulnerabilities.
9.5.12
Affected by 43 other vulnerabilities.
VCID-hg6g-kn76-bfbh
Aliases:
CVE-2019-19848
GHSA-77p4-wfr8-977w
TYPO3 Directory Traversal on ZIP extraction An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.)
8.7.30
Affected by 22 other vulnerabilities.
9.5.12
Affected by 43 other vulnerabilities.
10.2.2
Affected by 50 other vulnerabilities.
VCID-hrjb-bbbx-1kbq
Aliases:
2018-12-11-5
Information Disclosure in Install Tool.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-jcjk-1u7e-vbez
Aliases:
CVE-2024-25118
GHSA-38r2-5695-334w
TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords ### Problem Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to the TYPO3 framework merger Christian Kuhn and external security researchers Maximilian Beckmann, Klaus-Günther Schmidt who reported this issue, and TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2024-003](https://typo3.org/security/advisory/typo3-core-sa-2024-003)
8.7.57
Affected by 0 other vulnerabilities.
9.5.46
Affected by 0 other vulnerabilities.
10.4.43
Affected by 0 other vulnerabilities.
11.5.35
Affected by 8 other vulnerabilities.
12.4.11
Affected by 8 other vulnerabilities.
13.0.1
Affected by 9 other vulnerabilities.
VCID-jzqt-aujy-n3gw
Aliases:
2018-07-12-4
Insecure Deserialization in TYPO3 CMS.
8.7.17
Affected by 73 other vulnerabilities.
9.3.2
Affected by 98 other vulnerabilities.
VCID-kfrr-f48y-tkb3
Aliases:
GHSA-rv8r-8mh5-5376
TYPO3 Information Disclosure in Backend User Interface The element information component used to display properties of a certain record is susceptible to information disclosure. The list of references from or to the record is not properly checked for the backend user’s permissions. A valid backend user account is needed in order to exploit this vulnerability.
8.7.27
Affected by 29 other vulnerabilities.
9.5.8
Affected by 49 other vulnerabilities.
VCID-ks2k-ehk8-nqbm
Aliases:
CVE-2021-32669
GHSA-rgcg-28xm-8mmw
Cross-Site Scripting in Backend Grid View ### Problem Failing to properly encode settings for _backend layouts_, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue.
8.7.41
Affected by 1 other vulnerability.
9.5.28
Affected by 26 other vulnerabilities.
10.4.18
Affected by 28 other vulnerabilities.
11.3.1
Affected by 30 other vulnerabilities.
VCID-kugm-f7sk-vub9
Aliases:
GHSA-rxc9-f2x6-qh4w
TYPO3 Security Misconfiguration for Backend User Accounts When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following: - account contains empty login credentials (username and/or password) - account is incomplete and contains weak credentials (username and/or password) Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations. This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-n7ha-dtwq-xqf9
Aliases:
2018-07-12-2
Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS.
8.7.17
Affected by 73 other vulnerabilities.
9.3.2
Affected by 98 other vulnerabilities.
VCID-p778-sd22-dfea
Aliases:
GHSA-g4c9-qfvw-fmr4
TYPO3 Cross-Site Scripting in Backend Modal Component Failing to properly encode user input, notifications shown in modal windows in the TYPO3 backend are vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-pe6b-ygxy-kqes
Aliases:
2019-01-22-4
Cross-site Scripting Cross-Site Scripting in Fluid `ViewHelpers`.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-pwe8-razn-buae
Aliases:
CVE-2018-17960
GHSA-g68x-vvqq-pvw3
Ckeditor XSS Vulnerability CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. It was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, it is recommended to upgrade to the latest editor version.
8.7.21
Affected by 56 other vulnerabilities.
9.0.0
Affected by 112 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-q2ch-qd6x-vqeu
Aliases:
CVE-2022-31047
GHSA-fh99-4pgr-8j99
Insertion of Sensitive Information into Log File in typo3/cms-core > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace. ### Solution Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Marco Huber who reported this issue and to TYPO3 security member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2022-002](https://typo3.org/security/advisory/typo3-core-sa-2022-002)
8.7.47
Affected by 1 other vulnerability.
9.5.35
Affected by 0 other vulnerabilities.
10.4.29
Affected by 22 other vulnerabilities.
11.5.11
Affected by 23 other vulnerabilities.
VCID-r9ct-7gds-vkg3
Aliases:
GHSA-xmgr-jff3-fcfv
TYPO3 Security Misconfiguration in User Session Handling When users change their password existing sessions for that particular user account are not revoked. A valid backend or frontend user account is required in order to make use of this vulnerability.
8.7.25
Affected by 40 other vulnerabilities.
9.5.6
Affected by 64 other vulnerabilities.
VCID-r9yp-177t-efc4
Aliases:
2019-01-22-7
Code Injection Arbitrary Code Execution via File List Module.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-rep9-2rxn-gfee
Aliases:
2019-05-07-3
Code Injection Possible Arbitrary Code Execution in Image Processing.
8.7.25
Affected by 40 other vulnerabilities.
9.5.6
Affected by 64 other vulnerabilities.
VCID-rk6h-431z-ubbk
Aliases:
CVE-2019-19850
GHSA-59pj-7mjh-4465
TYPO3 SQL Injection in low-level Query Generator An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges.
8.7.30
Affected by 22 other vulnerabilities.
9.5.12
Affected by 43 other vulnerabilities.
10.2.2
Affected by 50 other vulnerabilities.
VCID-rmnv-emnu-6bfy
Aliases:
CVE-2021-32767
GHSA-34fr-fhqr-7235
Information Disclosure in User Authentication > ### Meta > * CVSS: `AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the _default_ configuration. ### Solution Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Ingo Schmitt who reported this issue, and to TYPO3 core & security team member Benni Mack who fixed the issue. ### References * [TYPO3-CORE-SA-2021-012](https://typo3.org/security/advisory/typo3-core-sa-2021-012)
8.7.41
Affected by 1 other vulnerability.
9.5.28
Affected by 26 other vulnerabilities.
10.4.18
Affected by 28 other vulnerabilities.
11.3.1
Affected by 30 other vulnerabilities.
VCID-rtd6-q7tg-ykfh
Aliases:
CVE-2020-26227
GHSA-vqqx-jw6p-q3rf
Cross-Site Scripting in Fluid view helpers > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) > * CWE-79 ### Problem It has been discovered that system extension Fluid (`typo3/cms-fluid`) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. ``` <f:form ... fieldNamePrefix="{payload}" /> <f:be.labels.csh ... label="{payload}" /> <f:be.menus.actionMenu ... label="{payload}" /> ``` ### Solution Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 security team members Helmut Hummel & Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2020-010](https://typo3.org/security/advisory/typo3-core-sa-2020-010)
8.7.38
Affected by 0 other vulnerabilities.
9.5.23
Affected by 34 other vulnerabilities.
10.4.10
Affected by 40 other vulnerabilities.
VCID-swwb-fm9u-tucv
Aliases:
CVE-2023-24814
GHSA-r4f8-f93x-5qh3
TYPO3 is vulnerable to Cross-Site Scripting via frontend rendering > ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C` (8.2) ### Problem TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting [`config.absRefPrefix=auto`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549), attackers can inject malicious HTML code into pages that have not yet been rendered and cached. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of [`GeneralUtility::getIndpEnv('SCRIPT_NAME')`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484) and corresponding usages (as shown below) are vulnerable as well. - `GeneralUtility::getIndpEnv('PATH_INFO') ` - `GeneralUtility::getIndpEnv('SCRIPT_NAME') ` - `GeneralUtility::getIndpEnv('TYPO3_REQUEST_DIR')` - `GeneralUtility::getIndpEnv('TYPO3_REQUEST_SCRIPT')` - `GeneralUtility::getIndpEnv('TYPO3_SITE_PATH')` - `GeneralUtility::getIndpEnv('TYPO3_SITE_SCRIPT')` - `GeneralUtility::getIndpEnv('TYPO3_SITE_URL')` Installations of TYPO3 versions 8.7 and 9.x are probably only affected when server environment variable [`TYPO3_PATH_ROOT`](https://docs.typo3.org/m/typo3/reference-coreapi/9.5/en-us/ApiOverview/Environment/Index.html#configuring-environment-paths) is defined - which is the case if they were installed via Composer. Additional investigations confirmed that Apache and Microsoft IIS web servers using PHP-CGI (FPM, FCGI/FastCGI, or similar) are affected. There might be the risk that nginx is vulnerable as well. It was not possible to exploit Apache/mod_php scenarios. ### Solution The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.36 LTS, 11.5.23 LTS and 12.2.0 that fix the problem described above. > ℹ️ **Strong security defaults - Manual actions required** > Any web server using PHP-CGI (FPM, FCGI/FastCGI, or similar) needs to ensure that the PHP setting [**`cgi.fix_pathinfo=1`**](https://www.php.net/manual/en/ini.core.php#ini.cgi.fix-pathinfo) is used, which is the default PHP setting. In case this setting is not enabled, an exception is thrown to avoid continuing with invalid path information. For websites that cannot be patched timely the TypoScript setting [`config.absRefPrefix`](https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix) at least should be set to a static path value, instead of using `auto` - e.g. `config.absRefPrefix=/` - this **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation. ### References * [TYPO3-CORE-SA-2023-001](https://typo3.org/security/advisory/typo3-core-sa-2023-001) * [TYPO3-CORE-PSA-2023-001](https://typo3.org/security/advisory/typo3-psa-2023-001) *pre-announcement*
8.7.51
Affected by 0 other vulnerabilities.
9.5.40
Affected by 0 other vulnerabilities.
10.4.36
Affected by 15 other vulnerabilities.
11.5.23
Affected by 15 other vulnerabilities.
12.2.0
Affected by 15 other vulnerabilities.
VCID-t7b2-114h-ekaw
Aliases:
2019-06-25-2
Cross-site Scripting Cross-Site Scripting in Link Handling.
8.7.27
Affected by 29 other vulnerabilities.
9.5.8
Affected by 49 other vulnerabilities.
VCID-tbp9-2rg8-u7bk
Aliases:
2019-06-25-4
Code Injection Arbitrary Code Execution and Cross-Site Scripting in Backend API.
8.7.27
Affected by 29 other vulnerabilities.
9.5.8
Affected by 49 other vulnerabilities.
VCID-tfey-6228-tybz
Aliases:
2019-01-22-5
Cross-site Scripting Cross-Site Scripting in Bootstrap CSS toolkit.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-the9-7p23-q7ac
Aliases:
GHSA-96jg-pmc4-cx39
TYPO3 CMS Insecure Deserialization It has been discovered that the Form Framework (system extension `form`) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package `yaml`, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting `yaml.decode_php` enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).
8.7.17
Affected by 73 other vulnerabilities.
9.3.1
Affected by 101 other vulnerabilities.
VCID-thjz-e86b-n3a7
Aliases:
CVE-2019-12747
GHSA-86hp-xrhj-fhpq
Typo3 Vulnerable to Insecure Deserialization TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.
8.7.27
Affected by 29 other vulnerabilities.
9.5.8
Affected by 49 other vulnerabilities.
VCID-tvq8-qbwc-qkfs
Aliases:
CVE-2021-32768
GHSA-c5c9-8c6m-727v
Cross-Site Scripting via Rich-Text Content > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC` (5.7) ### Problem Failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality _[HTMLparser](https://docs.typo3.org/m/typo3/reference-typoscript/10.4/en-us/Functions/Htmlparser.html)_ do not consider all potentially malicious HTML tag & attribute combinations per default. In addition, the lack of comprehensive default node configuration for rich-text fields in the backend user interface fosters this malfunction. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. ### Solution Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described above. Custom package _[typo3/html-sanitizer](https://github.com/TYPO3/html-sanitizer)_ - based on allow-lists only - takes care of sanitizing potentially malicious markup. The default behavior is based on safe and commonly used markup - however, this can be extended or restricted further in case it is necessary for individual scenarios. During the frontend rendering process, sanitization is applied to the default TypoScript path `lib.parseFunc`, which is implicitly used by the Fluid view-helper instruction `f:format.html`. Rich-text data persisted using the backend user interface is sanitized as well. Implementation details are explained in corresponding [ChangeLog documentation](https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.html). ### Credits Thanks to Benjamin Stiber, Gert-Jan Jansma, Gábor Ács-Kurucz, Alexander Kellner, Richie Lee, Nina Rösch who reported this issue, and to TYPO3 security team member Oliver Hader, as well as TYPO3 contributor Susanne Moog who fixed the issue. ### References * [TYPO3-CORE-SA-2021-013](https://typo3.org/security/advisory/typo3-core-sa-2021-013)
8.7.42
Affected by 0 other vulnerabilities.
9.5.29
Affected by 23 other vulnerabilities.
10.4.19
Affected by 27 other vulnerabilities.
11.3.2
Affected by 29 other vulnerabilities.
VCID-u34g-yks8-hbay
Aliases:
CVE-2018-14041
GHSA-pj7m-g53m-7638
Bootstrap Cross-site Scripting vulnerability In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-u3es-5tz4-ybfc
Aliases:
2019-06-25-3
Security Misconfiguration in Frontend Session Handling.
8.7.27
Affected by 29 other vulnerabilities.
9.5.8
Affected by 49 other vulnerabilities.
VCID-v83x-2hx7-yycg
Aliases:
CVE-2021-21339
GHSA-qx3w-4864-94ch
Cleartext storage of session identifier ### Problem User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. ### Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 core & security team members Benni Mack & Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-006](https://typo3.org/security/advisory/typo3-core-sa-2021-006)
8.7.40
Affected by 3 other vulnerabilities.
9.5.25
Affected by 28 other vulnerabilities.
10.4.14
Affected by 32 other vulnerabilities.
11.1.1
Affected by 33 other vulnerabilities.
VCID-w2hv-ftte-fyd1
Aliases:
CVE-2022-36107
GHSA-9c6w-55cp-5w25
TYPO3 CMS Stored Cross-Site Scripting via FileDumpController > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.0) ### Problem It has been discovered that the `FileDumpController` (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to Vautia who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-009](https://typo3.org/security/advisory/typo3-core-sa-2022-009) * [Vulnerability Report on huntr.dev](https://huntr.dev/bounties/51e9b709-193c-41fd-bd4a-833aaca0bd4e/) (embargoed +30 days)
8.7.48
Affected by 0 other vulnerabilities.
9.5.37
Affected by 0 other vulnerabilities.
10.4.32
Affected by 17 other vulnerabilities.
11.5.16
Affected by 17 other vulnerabilities.
VCID-whf8-jc59-uub6
Aliases:
CVE-2021-21357
GHSA-3vg7-jw9m-pc3f
Broken Access Control in Form Framework ### Problem Due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 contributor Ralf Zimmermann who fixed the issue. ### References * [TYPO3-CORE-SA-2021-003](https://typo3.org/security/advisory/typo3-core-sa-2021-003)
8.7.40
Affected by 3 other vulnerabilities.
9.5.25
Affected by 28 other vulnerabilities.
10.4.14
Affected by 32 other vulnerabilities.
11.1.1
Affected by 33 other vulnerabilities.
VCID-wpup-swbs-43dk
Aliases:
GHSA-f9hr-7cfq-mjg2
TYPO3 Arbitrary Code Execution via File List Module Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability. Derivatives of Debian GNU Linux are handling *.phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages). The file extension *.shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension *.pl and *.cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location).
8.7.23
Affected by 43 other vulnerabilities.
9.5.4
Affected by 71 other vulnerabilities.
VCID-wrje-qvf1-2ua8
Aliases:
CVE-2024-25121
GHSA-rj3x-wvc6-5j66
TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler ### Problem Entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. #### ℹ️ Strong security defaults - Manual actions required When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`. ### Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2024-006](https://typo3.org/security/advisory/typo3-core-sa-2024-006)
8.7.57
Affected by 0 other vulnerabilities.
9.5.46
Affected by 0 other vulnerabilities.
10.4.43
Affected by 0 other vulnerabilities.
11.5.35
Affected by 8 other vulnerabilities.
12.4.11
Affected by 8 other vulnerabilities.
13.0.1
Affected by 9 other vulnerabilities.
VCID-x8ep-x9yv-tuc4
Aliases:
GHSA-wg8h-gxf4-g4gh
TYPO3 Cross-Site Scripting in Online Media Asset Rendering Failing to properly encode user input, online media asset rendering (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-xdgy-veem-vua5
Aliases:
GHSA-29m4-mx89-3mjg
TYPO3 Denial of Service in Online Media Asset Handling Online Media Asset Handling (*.youtube and *.vimeo files) in the TYPO3 backend is vulnerable to denial of service. Putting large files with according file extensions results in high consumption of system resources. This can lead to exceeding limits of the current PHP process which results in a dysfunctional backend component. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-xsd3-6zyc-j7dg
Aliases:
2018-12-11-4
Security Misconfiguration in Install Tool Cookie.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-xww9-ktn9-e3ga
Aliases:
CVE-2022-36105
GHSA-m392-235j-9r7r
TYPO3 CMS vulnerable to User Enumeration via Response Timing > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new `MimicServiceInterface::mimicAuthUser`, which simulates corresponding times regular processing would usually take. ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to Vautia who reported this issue and to TYPO3 core & security team members Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-007](https://typo3.org/security/advisory/typo3-core-sa-2022-007) * [Vulnerability Report on huntr.dev](https://huntr.dev/bounties/7d519735-2877-4fad-bd77-accde3e290a7/) (embargoed +30 days)
8.7.48
Affected by 0 other vulnerabilities.
9.5.37
Affected by 0 other vulnerabilities.
10.4.32
Affected by 17 other vulnerabilities.
11.5.16
Affected by 17 other vulnerabilities.
VCID-xxf2-6qn3-x7f8
Aliases:
CVE-2022-31046
GHSA-8gmv-9hwg-w89g
Information Disclosure via Export Module > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (4.0) ### Problem The export functionality fails to limit the result set to allowed columns of a particular database table. This allows authenticated users to export internal details of database tables to which they already have access. ### Solution Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. In order to address this issue, access to mentioned export functionality is completely denied for regular backend users. ℹ️ **Strong security defaults - Manual actions required** Following User TSconfig setting would allow using the export functionality for particular users: ``` options.impexp.enableExportForNonAdminUser = 1 ``` ### Credits Thanks to TYPO3 core merger Lina Wolf who reported this issue and to TYPO3 security member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2022-001](https://typo3.org/security/advisory/typo3-core-sa-2022-001)
8.7.47
Affected by 1 other vulnerability.
9.5.35
Affected by 0 other vulnerabilities.
10.4.29
Affected by 22 other vulnerabilities.
11.5.11
Affected by 23 other vulnerabilities.
VCID-ynrh-kamk-augw
Aliases:
GHSA-4ppr-jw47-9qm5
TYPO3 Cross-Site Scripting in Link Handling It has been discovered that t3:// URL handling and typolink functionality are vulnerable to cross-site scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering with typolink.
8.7.30
Affected by 22 other vulnerabilities.
9.5.12
Affected by 43 other vulnerabilities.
10.2.1
Affected by 52 other vulnerabilities.
VCID-yqf5-djd2-suea
Aliases:
CVE-2024-25120
GHSA-wf85-8hx9-gj7c
TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme ### Problem The TYPO3-specific [`t3://` URI scheme](https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references) could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-005](https://typo3.org/security/advisory/typo3-core-sa-2024-005)
8.7.57
Affected by 0 other vulnerabilities.
9.5.46
Affected by 0 other vulnerabilities.
10.4.43
Affected by 0 other vulnerabilities.
11.5.35
Affected by 8 other vulnerabilities.
12.4.11
Affected by 8 other vulnerabilities.
13.0.1
Affected by 9 other vulnerabilities.
VCID-yv3c-d7fb-v3bm
Aliases:
GHSA-cc97-g92w-jm65
TYPO3 CMS Insecure Deserialization & Arbitrary Code Execution Phar files (formerly known as "PHP archives") can act als self extracting archives which leads to the fact that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt" would be. This way, Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability. In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit has been identified so far.
8.7.17
Affected by 73 other vulnerabilities.
9.3.2
Affected by 98 other vulnerabilities.
VCID-z54r-1zba-1bcx
Aliases:
GHSA-66c2-7g4p-wx4p
TYPO3 Information Disclosure in Install Tool The Install Tool exposes the current TYPO3 version number to non-authenticated users.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
VCID-zrvx-m37x-v3a1
Aliases:
2018-12-11-8
Cross-site Scripting Cross-Site Scripting in CKEditor.
8.7.21
Affected by 56 other vulnerabilities.
9.5.2
Affected by 84 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-03T19:06:30.735206+00:00 GitLab Importer Affected by VCID-r9ct-7gds-vkg3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-xmgr-jff3-fcfv.yml 37.0.0
2025-07-03T19:06:30.456831+00:00 GitLab Importer Affected by VCID-ynrh-kamk-augw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-4ppr-jw47-9qm5.yml 37.0.0
2025-07-03T19:06:30.206717+00:00 GitLab Importer Affected by VCID-cpa8-x668-5qgb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-x428-565f-8xj2.yml 37.0.0
2025-07-03T19:06:29.519864+00:00 GitLab Importer Affected by VCID-xdgy-veem-vua5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-29m4-mx89-3mjg.yml 37.0.0
2025-07-03T19:06:29.181193+00:00 GitLab Importer Affected by VCID-a9kp-9ews-e3b1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-82vp-jr39-4j2j.yml 37.0.0
2025-07-03T19:06:28.882521+00:00 GitLab Importer Affected by VCID-969f-fsfs-23e1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-6xwf-7rfm-4gwc.yml 37.0.0
2025-07-03T19:06:27.957345+00:00 GitLab Importer Affected by VCID-7w5e-uefx-c7cg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-22q7-cg4r-p9mx.yml 37.0.0
2025-07-03T19:06:27.500064+00:00 GitLab Importer Affected by VCID-1xu4-29uk-z3f8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-x4rj-f7m6-42c3.yml 37.0.0
2025-07-03T19:06:27.259295+00:00 GitLab Importer Affected by VCID-p778-sd22-dfea https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-g4c9-qfvw-fmr4.yml 37.0.0
2025-07-03T19:06:26.940690+00:00 GitLab Importer Affected by VCID-wpup-swbs-43dk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-f9hr-7cfq-mjg2.yml 37.0.0
2025-07-03T19:06:26.729532+00:00 GitLab Importer Affected by VCID-dhn4-gz4x-2qcn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-9rx9-7fmh-gj3g.yml 37.0.0
2025-07-03T19:06:26.333473+00:00 GitLab Importer Affected by VCID-gep7-wp2h-nugr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-hjx5-v9xg-7h25.yml 37.0.0
2025-07-03T19:06:26.071158+00:00 GitLab Importer Affected by VCID-kfrr-f48y-tkb3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-rv8r-8mh5-5376.yml 37.0.0
2025-07-03T19:06:25.864532+00:00 GitLab Importer Affected by VCID-the9-7p23-q7ac https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-96jg-pmc4-cx39.yml 37.0.0
2025-07-03T19:06:24.370999+00:00 GitLab Importer Affected by VCID-fdsz-4q4m-eqgq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-4459-qrcc-vfcf.yml 37.0.0
2025-07-03T19:06:24.124263+00:00 GitLab Importer Affected by VCID-8rqv-y2gn-6yd1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-p2h4-7fp3-cmh8.yml 37.0.0
2025-07-03T19:06:23.889216+00:00 GitLab Importer Affected by VCID-7rsj-1mbz-2bc9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-8c25-vj2w-p72j.yml 37.0.0
2025-07-03T19:06:21.119977+00:00 GitLab Importer Affected by VCID-2734-1z2d-9ydz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-45wj-jv2h-jwrf.yml 37.0.0
2025-07-03T19:06:20.838533+00:00 GitLab Importer Affected by VCID-4381-nt69-cyhx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-95qm-3xp7-vfj5.yml 37.0.0
2025-07-03T19:06:20.625367+00:00 GitLab Importer Affected by VCID-yv3c-d7fb-v3bm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-cc97-g92w-jm65.yml 37.0.0
2025-07-03T19:06:19.909745+00:00 GitLab Importer Affected by VCID-x8ep-x9yv-tuc4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-wg8h-gxf4-g4gh.yml 37.0.0
2025-07-03T19:06:19.620089+00:00 GitLab Importer Affected by VCID-gqbq-47a9-7ygk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-5h5v-m596-r6rf.yml 37.0.0
2025-07-03T19:06:18.942122+00:00 GitLab Importer Affected by VCID-z54r-1zba-1bcx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-66c2-7g4p-wx4p.yml 37.0.0
2025-07-03T19:06:18.520846+00:00 GitLab Importer Affected by VCID-kugm-f7sk-vub9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-rxc9-f2x6-qh4w.yml 37.0.0
2025-07-03T19:06:18.222907+00:00 GitLab Importer Affected by VCID-3j7t-8pse-yyc3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-ppvg-hw62-6ph9.yml 37.0.0
2025-07-03T18:59:14.264677+00:00 GitLab Importer Affected by VCID-yqf5-djd2-suea https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2024-25120.yml 37.0.0
2025-07-03T18:59:12.557661+00:00 GitLab Importer Affected by VCID-wrje-qvf1-2ua8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2024-25121.yml 37.0.0
2025-07-03T18:59:11.940111+00:00 GitLab Importer Affected by VCID-89e7-n8qr-mkc1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2024-22188.yml 37.0.0
2025-07-03T18:59:10.822465+00:00 GitLab Importer Affected by VCID-evyj-ctem-nffy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2024-25119.yml 37.0.0
2025-07-03T18:59:10.253243+00:00 GitLab Importer Affected by VCID-jcjk-1u7e-vbez https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2024-25118.yml 37.0.0
2025-07-03T18:53:19.809761+00:00 GitLab Importer Affected by VCID-14ku-tr5n-17gv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2023-47127.yml 37.0.0
2025-07-03T18:38:32.386090+00:00 GitLab Importer Affected by VCID-swwb-fm9u-tucv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2023-24814.yml 37.0.0
2025-07-03T18:30:22.607107+00:00 GitLab Importer Affected by VCID-xww9-ktn9-e3ga https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2022-36105.yml 37.0.0
2025-07-03T18:30:21.608770+00:00 GitLab Importer Affected by VCID-w2hv-ftte-fyd1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2022-36107.yml 37.0.0
2025-07-03T18:25:57.397570+00:00 GitLab Importer Affected by VCID-fbxf-4gpp-4ff9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2022-31048.yml 37.0.0
2025-07-03T18:25:56.922106+00:00 GitLab Importer Affected by VCID-xxf2-6qn3-x7f8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2022-31046.yml 37.0.0
2025-07-03T18:25:44.837179+00:00 GitLab Importer Affected by VCID-q2ch-qd6x-vqeu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2022-31047.yml 37.0.0
2025-07-03T18:23:58.159263+00:00 GitLab Importer Affected by VCID-rk6h-431z-ubbk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2019-19850.yml 37.0.0
2025-07-03T18:22:48.600405+00:00 GitLab Importer Affected by VCID-87g8-zcww-p7bm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2019-12748.yml 37.0.0
2025-07-03T18:21:58.154751+00:00 GitLab Importer Affected by VCID-hg6g-kn76-bfbh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2019-19848.yml 37.0.0
2025-07-03T18:20:58.654734+00:00 GitLab Importer Affected by VCID-8mc9-ye3u-c3aj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2019-19849.yml 37.0.0
2025-07-03T18:20:45.979832+00:00 GitLab Importer Affected by VCID-thjz-e86b-n3a7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2019-12747.yml 37.0.0
2025-07-03T18:02:43.377880+00:00 GitLab Importer Affected by VCID-tvq8-qbwc-qkfs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2021-32768.yml 37.0.0
2025-07-03T18:02:21.936043+00:00 GitLab Importer Affected by VCID-rmnv-emnu-6bfy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2021-32767.yml 37.0.0
2025-07-03T18:02:20.187863+00:00 GitLab Importer Affected by VCID-7vrs-6mah-2fh9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2021-32668.yml 37.0.0
2025-07-03T18:02:19.310291+00:00 GitLab Importer Affected by VCID-ks2k-ehk8-nqbm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2021-32669.yml 37.0.0
2025-07-03T17:56:55.880007+00:00 GitLab Importer Affected by VCID-fbhh-atu7-e3da https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2021-21355.yml 37.0.0
2025-07-03T17:56:51.873643+00:00 GitLab Importer Affected by VCID-v83x-2hx7-yycg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2021-21339.yml 37.0.0
2025-07-03T17:56:49.926895+00:00 GitLab Importer Affected by VCID-whf8-jc59-uub6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2021-21357.yml 37.0.0
2025-07-03T17:56:46.646866+00:00 GitLab Importer Affected by VCID-d42j-347n-e7en https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2021-21338.yml 37.0.0
2025-07-03T17:56:39.254504+00:00 GitLab Importer Affected by VCID-ekj9-nhu4-93cc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2021-21370.yml 37.0.0
2025-07-03T17:52:35.915774+00:00 GitLab Importer Affected by VCID-rtd6-q7tg-ykfh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2020-26227.yml 37.0.0
2025-07-03T17:35:09.050147+00:00 GitLab Importer Affected by VCID-aj9w-bguk-9yek https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-5.yml 37.0.0
2025-07-03T17:35:08.572139+00:00 GitLab Importer Affected by VCID-u3es-5tz4-ybfc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-3.yml 37.0.0
2025-07-03T17:35:07.913875+00:00 GitLab Importer Affected by VCID-tbp9-2rg8-u7bk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-4.yml 37.0.0
2025-07-03T17:35:07.186816+00:00 GitLab Importer Affected by VCID-bvjs-f141-sfc7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-1.yml 37.0.0
2025-07-03T17:35:06.594324+00:00 GitLab Importer Affected by VCID-t7b2-114h-ekaw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-2.yml 37.0.0
2025-07-03T17:33:58.190840+00:00 GitLab Importer Affected by VCID-dkmy-bwds-s7f4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-05-07-1.yml 37.0.0
2025-07-03T17:33:56.633017+00:00 GitLab Importer Affected by VCID-rep9-2rxn-gfee https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-05-07-3.yml 37.0.0
2025-07-03T17:33:56.078903+00:00 GitLab Importer Affected by VCID-7zyp-yza7-2udn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-05-07-2.yml 37.0.0
2025-07-03T17:31:24.317029+00:00 GitLab Importer Affected by VCID-17h4-rww9-93ad https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-3.yml 37.0.0
2025-07-03T17:31:23.801412+00:00 GitLab Importer Affected by VCID-8u66-mv4d-zbd4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-6.yml 37.0.0
2025-07-03T17:31:23.589975+00:00 GitLab Importer Affected by VCID-dfng-qmn8-jyc5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-2.yml 37.0.0
2025-07-03T17:31:22.894357+00:00 GitLab Importer Affected by VCID-r9yp-177t-efc4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-7.yml 37.0.0
2025-07-03T17:31:21.774953+00:00 GitLab Importer Affected by VCID-e3gy-22s1-huhc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-1.yml 37.0.0
2025-07-03T17:31:21.317616+00:00 GitLab Importer Affected by VCID-pe6b-ygxy-kqes https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-4.yml 37.0.0
2025-07-03T17:31:20.640983+00:00 GitLab Importer Affected by VCID-tfey-6228-tybz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-5.yml 37.0.0
2025-07-03T17:30:47.530540+00:00 GitLab Importer Affected by VCID-fj4s-fcy4-2fcj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-12-11-1.yml 37.0.0
2025-07-03T17:30:47.334938+00:00 GitLab Importer Affected by VCID-zrvx-m37x-v3a1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-12-11-8.yml 37.0.0
2025-07-03T17:30:47.117609+00:00 GitLab Importer Affected by VCID-8re4-c6j8-hyfh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-12-11-7.yml 37.0.0
2025-07-03T17:30:46.568944+00:00 GitLab Importer Affected by VCID-1txn-xjt1-37ha https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-12-11-3.yml 37.0.0
2025-07-03T17:30:46.371516+00:00 GitLab Importer Affected by VCID-hrjb-bbbx-1kbq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-12-11-5.yml 37.0.0
2025-07-03T17:30:45.883516+00:00 GitLab Importer Affected by VCID-53bg-1gfq-7bap https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-12-11-2.yml 37.0.0
2025-07-03T17:30:44.822266+00:00 GitLab Importer Affected by VCID-xsd3-6zyc-j7dg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-12-11-4.yml 37.0.0
2025-07-03T17:30:43.951936+00:00 GitLab Importer Affected by VCID-7yn7-f2cw-ukfj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-12-11-6.yml 37.0.0
2025-07-03T17:30:38.399222+00:00 GitLab Importer Affected by VCID-pwe8-razn-buae https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2018-17960.yml 37.0.0
2025-07-03T17:28:54.403899+00:00 GitLab Importer Affected by VCID-u34g-yks8-hbay https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2018-14041.yml 37.0.0
2025-07-03T17:27:57.268786+00:00 GitLab Importer Affected by VCID-cvpr-b5np-6bcv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-1.yml 37.0.0
2025-07-03T17:27:55.365854+00:00 GitLab Importer Affected by VCID-59c6-ews9-cbaf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-3.yml 37.0.0
2025-07-03T17:27:55.184689+00:00 GitLab Importer Affected by VCID-n7ha-dtwq-xqf9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-2.yml 37.0.0
2025-07-03T17:27:53.596437+00:00 GitLab Importer Affected by VCID-jzqt-aujy-n3gw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-4.yml 37.0.0
2025-07-03T16:43:16.662476+00:00 GHSA Importer Affected by VCID-pwe8-razn-buae https://github.com/advisories/GHSA-g68x-vvqq-pvw3 37.0.0