VulnerableCode Package Details - pkg:composer/typo3/cms-core@8.7.23

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-17h4-rww9-93ad	Improper Access Control Broken Access Control in Localization Handling.	2019-01-22-3
VCID-7w5e-uefx-c7cg	TYPO3 Cross-Site Scripting in Fluid ViewHelpers Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting.	GHSA-22q7-cg4r-p9mx
VCID-8rqv-y2gn-6yd1	TYPO3 Disclosure of Information about Installed Extensions It has been discovered that mechanisms used for configuration of RequireJS package loading are susceptible to information disclosure. This way a potential attack can retrieve additional information about installed system and third party extensions.	GHSA-p2h4-7fp3-cmh8
VCID-8u66-mv4d-zbd4	Cross-site Scripting Cross-Site Scripting in Form Framework.	2019-01-22-6
VCID-dfng-qmn8-jyc5	Security Misconfiguration for Backend User Accounts.	2019-01-22-2
VCID-dhn4-gz4x-2qcn	TYPO3 Broken Access Control in Localization Handling It has been discovered that backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.	GHSA-9rx9-7fmh-gj3g
VCID-e3gy-22s1-huhc	Information Disclosure of Installed Extensions.	2019-01-22-1
VCID-fdsz-4q4m-eqgq	TYPO3 Cross-Site Scripting in Form Framework Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.	GHSA-4459-qrcc-vfcf
VCID-kugm-f7sk-vub9	TYPO3 Security Misconfiguration for Backend User Accounts When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following: - account contains empty login credentials (username and/or password) - account is incomplete and contains weak credentials (username and/or password) Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations. This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.	GHSA-rxc9-f2x6-qh4w
VCID-pe6b-ygxy-kqes	Cross-site Scripting Cross-Site Scripting in Fluid `ViewHelpers`.	2019-01-22-4
VCID-r9yp-177t-efc4	Code Injection Arbitrary Code Execution via File List Module.	2019-01-22-7
VCID-tfey-6228-tybz	Cross-site Scripting Cross-Site Scripting in Bootstrap CSS toolkit.	2019-01-22-5
VCID-u34g-yks8-hbay	Bootstrap Cross-site Scripting vulnerability In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.	CVE-2018-14041 GHSA-pj7m-g53m-7638
VCID-wpup-swbs-43dk	TYPO3 Arbitrary Code Execution via File List Module Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload .phar, .shtml, .pl or .cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability. Derivatives of Debian GNU Linux are handling .phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages). The file extension .shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension .pl and .cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location).	GHSA-f9hr-7cfq-mjg2

Vulnerability

Summary

Aliases

VCID-17h4-rww9-93ad

Improper Access Control Broken Access Control in Localization Handling.

2019-01-22-3

VCID-7w5e-uefx-c7cg

TYPO3 Cross-Site Scripting in Fluid ViewHelpers Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting.

GHSA-22q7-cg4r-p9mx

VCID-8rqv-y2gn-6yd1

TYPO3 Disclosure of Information about Installed Extensions It has been discovered that mechanisms used for configuration of RequireJS package loading are susceptible to information disclosure. This way a potential attack can retrieve additional information about installed system and third party extensions.

GHSA-p2h4-7fp3-cmh8

VCID-8u66-mv4d-zbd4

Cross-site Scripting Cross-Site Scripting in Form Framework.

2019-01-22-6

VCID-dfng-qmn8-jyc5

Security Misconfiguration for Backend User Accounts.

2019-01-22-2

VCID-dhn4-gz4x-2qcn

TYPO3 Broken Access Control in Localization Handling It has been discovered that backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.

GHSA-9rx9-7fmh-gj3g

VCID-e3gy-22s1-huhc

Information Disclosure of Installed Extensions.

2019-01-22-1

VCID-fdsz-4q4m-eqgq

TYPO3 Cross-Site Scripting in Form Framework Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.

GHSA-4459-qrcc-vfcf

VCID-kugm-f7sk-vub9

TYPO3 Security Misconfiguration for Backend User Accounts When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following: - account contains empty login credentials (username and/or password) - account is incomplete and contains weak credentials (username and/or password) Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations. This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.

GHSA-rxc9-f2x6-qh4w

VCID-pe6b-ygxy-kqes

Cross-site Scripting Cross-Site Scripting in Fluid `ViewHelpers`.

2019-01-22-4

VCID-r9yp-177t-efc4

Code Injection Arbitrary Code Execution via File List Module.

2019-01-22-7

VCID-tfey-6228-tybz

Cross-site Scripting Cross-Site Scripting in Bootstrap CSS toolkit.

2019-01-22-5

VCID-u34g-yks8-hbay

Bootstrap Cross-site Scripting vulnerability In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.

CVE-2018-14041
GHSA-pj7m-g53m-7638

VCID-wpup-swbs-43dk

TYPO3 Arbitrary Code Execution via File List Module Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability. Derivatives of Debian GNU Linux are handling *.phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages). The file extension *.shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension *.pl and *.cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location).

GHSA-f9hr-7cfq-mjg2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T13:56:49.295079+00:00	GitLab Importer	Fixing	VCID-7w5e-uefx-c7cg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-22q7-cg4r-p9mx.yml	36.1.3
2025-07-03T13:56:49.155119+00:00	GitLab Importer	Fixing	VCID-wpup-swbs-43dk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-f9hr-7cfq-mjg2.yml	36.1.3
2025-07-03T13:56:49.130469+00:00	GitLab Importer	Fixing	VCID-dhn4-gz4x-2qcn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-9rx9-7fmh-gj3g.yml	36.1.3
2025-07-03T13:56:48.894236+00:00	GitLab Importer	Fixing	VCID-fdsz-4q4m-eqgq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-4459-qrcc-vfcf.yml	36.1.3
2025-07-03T13:56:48.863814+00:00	GitLab Importer	Fixing	VCID-8rqv-y2gn-6yd1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-p2h4-7fp3-cmh8.yml	36.1.3
2025-07-03T13:56:48.105304+00:00	GitLab Importer	Fixing	VCID-kugm-f7sk-vub9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-rxc9-f2x6-qh4w.yml	36.1.3
2025-07-01T18:11:26.606912+00:00	GitLab Importer	Fixing	VCID-17h4-rww9-93ad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-3.yml	36.1.3
2025-07-01T18:11:26.562796+00:00	GitLab Importer	Fixing	VCID-8u66-mv4d-zbd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-6.yml	36.1.3
2025-07-01T18:11:26.542693+00:00	GitLab Importer	Fixing	VCID-dfng-qmn8-jyc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-2.yml	36.1.3
2025-07-01T18:11:26.465878+00:00	GitLab Importer	Fixing	VCID-r9yp-177t-efc4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-7.yml	36.1.3
2025-07-01T18:11:26.372942+00:00	GitLab Importer	Fixing	VCID-e3gy-22s1-huhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-1.yml	36.1.3
2025-07-01T18:11:26.331861+00:00	GitLab Importer	Fixing	VCID-pe6b-ygxy-kqes	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-4.yml	36.1.3
2025-07-01T18:11:26.274101+00:00	GitLab Importer	Fixing	VCID-tfey-6228-tybz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-01-22-5.yml	36.1.3
2025-07-01T18:11:08.585110+00:00	GitLab Importer	Fixing	VCID-u34g-yks8-hbay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2018-14041.yml	36.1.3
2025-07-01T14:35:02.294437+00:00	GHSA Importer	Fixing	VCID-8rqv-y2gn-6yd1	https://github.com/advisories/GHSA-p2h4-7fp3-cmh8	36.1.3
2025-07-01T14:35:02.207335+00:00	GHSA Importer	Fixing	VCID-fdsz-4q4m-eqgq	https://github.com/advisories/GHSA-4459-qrcc-vfcf	36.1.3
2025-07-01T14:35:02.133137+00:00	GHSA Importer	Fixing	VCID-wpup-swbs-43dk	https://github.com/advisories/GHSA-f9hr-7cfq-mjg2	36.1.3
2025-07-01T14:35:02.114723+00:00	GHSA Importer	Fixing	VCID-dhn4-gz4x-2qcn	https://github.com/advisories/GHSA-9rx9-7fmh-gj3g	36.1.3
2025-07-01T14:35:02.081786+00:00	GHSA Importer	Fixing	VCID-7w5e-uefx-c7cg	https://github.com/advisories/GHSA-22q7-cg4r-p9mx	36.1.3
2025-07-01T14:35:02.043366+00:00	GHSA Importer	Fixing	VCID-kugm-f7sk-vub9	https://github.com/advisories/GHSA-rxc9-f2x6-qh4w	36.1.3
2025-07-01T14:29:12.938161+00:00	GHSA Importer	Fixing	VCID-u34g-yks8-hbay	https://github.com/advisories/GHSA-pj7m-g53m-7638	36.1.3
2025-07-01T12:21:11.249857+00:00	GithubOSV Importer	Fixing	VCID-u34g-yks8-hbay	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-pj7m-g53m-7638/GHSA-pj7m-g53m-7638.json	36.1.3
2025-07-01T12:11:32.833650+00:00	GithubOSV Importer	Fixing	VCID-kugm-f7sk-vub9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-rxc9-f2x6-qh4w/GHSA-rxc9-f2x6-qh4w.json	36.1.3
2025-07-01T12:11:31.341862+00:00	GithubOSV Importer	Fixing	VCID-8rqv-y2gn-6yd1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-p2h4-7fp3-cmh8/GHSA-p2h4-7fp3-cmh8.json	36.1.3
2025-07-01T12:11:25.568891+00:00	GithubOSV Importer	Fixing	VCID-7w5e-uefx-c7cg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-22q7-cg4r-p9mx/GHSA-22q7-cg4r-p9mx.json	36.1.3
2025-07-01T12:11:21.334742+00:00	GithubOSV Importer	Fixing	VCID-dhn4-gz4x-2qcn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-9rx9-7fmh-gj3g/GHSA-9rx9-7fmh-gj3g.json	36.1.3
2025-07-01T12:11:19.835412+00:00	GithubOSV Importer	Fixing	VCID-wpup-swbs-43dk	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-f9hr-7cfq-mjg2/GHSA-f9hr-7cfq-mjg2.json	36.1.3
2025-07-01T12:11:16.121563+00:00	GithubOSV Importer	Fixing	VCID-fdsz-4q4m-eqgq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4459-qrcc-vfcf/GHSA-4459-qrcc-vfcf.json	36.1.3