Search for packages
| purl | pkg:composer/typo3/cms-core@9.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14ku-tr5n-17gv
Aliases: CVE-2023-47127 GHSA-3vmm-7h4j-69rm |
TYPO3 vulnerable to Weak Authentication in Session Handling > ### CVSS: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:X/RL:O/RC:C` (4.0) ### Problem Given that there are at least two different sites in the same TYPO3 installation - for instance _first.example.org_ and _second.example.com_ - then a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability primarily affects the frontend of the website. It's important to note that exploiting this vulnerability requires a valid user account. ### Solution Update to TYPO3 versions 8.7.55 ELTS, 9.5.44 ELTS, 10.4.41 ELTS, 11.5.33, 12.4.8 that fix the problem described above. ### Credits Thanks to Rémy Daniel who reported this issue, and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2023-006](https://typo3.org/security/advisory/typo3-core-sa-2023-006) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-1m8d-xwvp-1bag
Aliases: CVE-2024-34357 GHSA-hw6c-6gwq-3m3m |
TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController ### Problem Failing to properly encode user-controlled values in file entities, the `ShowImageController` (_eID tx_cms_showpic_) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. ### Solution Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described. ### Credits Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2024-009](https://typo3.org/security/advisory/typo3-core-sa-2024-009) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-1txn-xjt1-37ha
Aliases: 2018-12-11-3 |
Cross-site Scripting Cross-Site Scripting in Frontend User Login. |
Affected by 0 other vulnerabilities. |
|
VCID-1xu4-29uk-z3f8
Aliases: GHSA-x4rj-f7m6-42c3 |
TYPO3 CMS Authentication Bypass vulnerability It has been discovered that TYPO3’s Salted Password system extension (which is a mandatory system component) is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance. In standard TYPO3 core distributions stored passwords using the blowfish hashing algorithm can be overridden when using MD5 as the default hashing algorithm by just knowing a valid username. Per default the Portable PHP hashing algorithm (PHPass) is used which is not vulnerable. |
Affected by 0 other vulnerabilities. |
|
VCID-2734-1z2d-9ydz
Aliases: GHSA-45wj-jv2h-jwrf |
TYPO3 CMS Privilege Escalation and SQL Injection Failing to properly dissociate system related configuration from user generated configuration, the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be modified - this applies to definitions managed using the form editor module as well as direct file upload using the regular file list module. A valid backend user account as well as having system extension form activated are needed in order to exploit this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-2cs4-v238-qydz
Aliases: CVE-2022-31049 GHSA-h4mx-xv96-2jgm |
Cross-Site Scripting in TYPO3's Frontend Login Mailer > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.9) ### Problem User submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. ### Solution Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Christian Seifert who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue. ### References * [TYPO3-CORE-SA-2022-004](https://typo3.org/security/advisory/typo3-core-sa-2022-004) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2f1j-4zed-73gp
Aliases: CVE-2023-30451 GHSA-w6x2-jg8h-p6mp |
Path Traversal in TYPO3 File Abstraction Layer Storages ### Problem Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in `BE/lockRootPath` was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. #### ℹ️ **Strong security defaults - Manual actions required** _see [Important: #102800 changelog](https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/11.5.x/Important-102800-FileAbstractionLayerEnforcesAbsolutePathsToMatchProjectRootOrLockRootPath.html)_ Assuming that a web project is located in the directory `/var/www/example.org` (the "project root path" for Composer-based projects) and the publicly accessible directory is located at `/var/www/example.org/public` (the "public root path"), accessing resources via the File Abstraction Layer component is limited to the mentioned directories. To grant additional access to directories, they must be explicitly configured in the system settings of `$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']` - either using the Install Tool or according to deployment techniques. The existing setting has been extended to support multiple directories configured as an array of strings. Example: ```php $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] = [ ‘/var/shared/documents/’, ‘/var/shared/images/’, ]; ``` ❗ **Storages that reference directories not explicitly granted will be marked as "offline" internally - no resources can be used in the website's frontend and backend context.** ### Credits Thanks to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-001](https://typo3.org/security/advisory/typo3-core-sa-2024-001) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-3j7t-8pse-yyc3
Aliases: GHSA-ppvg-hw62-6ph9 |
TYPO3 Security Misconfiguration in Install Tool Cookie It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool. |
Affected by 0 other vulnerabilities. |
|
VCID-4381-nt69-cyhx
Aliases: GHSA-95qm-3xp7-vfj5 |
TYPO3 Cross-Site Scripting in Form Framework validation handling It has been discovered that the output of field validation errors in the Form Framework is vulnerable to cross-site scripting. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4h6w-4bx8-x3bn
Aliases: CVE-2020-11069 GHSA-pqg8-crx9-g8m4 |
Backend Same-Site Request Forgery in TYPO3 CMS > ### Meta > * CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C > * CWE-352 > * CWE-346 ### Problem It has been discovered that backend user interface and install tool are vulnerable to same-origin request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims' user session. In a worst case scenario new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it’s actually a same-origin request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a 3rd party extension - e.g. file upload in a contact form with knowing the target location. The attacked victim requires an active and valid backend or install tool user sessions at the time of the attack to be successful. ### Solution Update to TYPO3 versions 9.5.17 or 10.4.2 that mitigates the problem described. ### Additional Considerations The deployment of additional mitigation techniques is suggested as described below. #### Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed by again by the acting user with providing their password again - this technique is known as "sudo mode". This way unintended actions happening in the background can be mitigated. * https://github.com/FriendsOfTYPO3/sudo-mode * https://extensions.typo3.org/extension/sudo_mode #### Content Security Policy [Content Security Policies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) tell (modern) browsers how resources served a particular site are handled - it also it possible to disallow script executions for specific locations. In a TYPO3 context it is suggested to disallow direct script execution at least for locations `/fileadmin/` and `/uploads/`. ``` # in fileadmin/.htaccess <IfModule mod_headers.c> Header add Content-Security-Policy "default-src 'self'; script-src 'none';" </IfModule> ``` ### Credits Thanks to Matteo Bonaker who reported this issue and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-006 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-53bg-1gfq-7bap
Aliases: 2018-12-11-2 |
Cross-site Scripting Cross-Site Scripting in Backend Modal Component. |
Affected by 0 other vulnerabilities. |
|
VCID-59c6-ews9-cbaf
Aliases: 2018-07-12-3 |
Privilege Escalation & SQL Injection in TYPO3 CMS. |
Affected by 0 other vulnerabilities. |
|
VCID-5bv2-kvrt-w3a6
Aliases: CVE-2024-34356 GHSA-v6mw-h7w6-59w3 |
TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module ### Problem The form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to the form module. ### Solution Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described. ### Credits Thanks to TYPO3 core & security team member Benjamin Franzke who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2024-008](https://typo3.org/security/advisory/typo3-core-sa-2024-008) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-7rsj-1mbz-2bc9
Aliases: GHSA-8c25-vj2w-p72j |
TYPO3 Cross-Site Scripting in Frontend User Login Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile. Template patterns that are affected are - ###FEUSER_[fieldName]### using system extension felogin - <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken) |
Affected by 0 other vulnerabilities. |
|
VCID-7vrs-6mah-2fh9
Aliases: CVE-2021-32668 GHSA-6mh3-j5r5-2379 |
Cross-Site Scripting in Query Generator & Query View > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.5) ### Problem Failing to properly encode error messages, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-010](https://typo3.org/security/advisory/typo3-core-sa-2021-010) |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-7w5e-uefx-c7cg
Aliases: GHSA-22q7-cg4r-p9mx |
TYPO3 Cross-Site Scripting in Fluid ViewHelpers Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting. |
Affected by 0 other vulnerabilities. |
|
VCID-7yn7-f2cw-ukfj
Aliases: 2018-12-11-6 |
Uncontrolled Resource Consumption Denial of Service in Online Media Asset Handling. |
Affected by 0 other vulnerabilities. |
|
VCID-7zyp-yza7-2udn
Aliases: 2019-05-07-2 |
Security Misconfiguration in User Session Handling. |
Affected by 0 other vulnerabilities. |
|
VCID-87g8-zcww-p7bm
Aliases: CVE-2019-12748 GHSA-r6fv-56gp-j3r4 |
Typo3 Cross-Site Scripting in Link Handling TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. |
Affected by 0 other vulnerabilities. |
|
VCID-89e7-n8qr-mkc1
Aliases: CVE-2024-22188 GHSA-5w2h-59j3-8x5w |
TYPO3 Install Tool vulnerable to Code Execution ### Problem Several settings in the Install Tool for configuring the path to system binaries were vulnerable to code execution. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. The corresponding change for this advisory involves enforcing the known disadvantages described in [TYPO3-PSA-2020-002: Protecting Install Tool with Sudo Mode](https://typo3.org/security/advisory/typo3-psa-2020-002). ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to Rickmer Frier & Daniel Jonka who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-002](https://typo3.org/security/advisory/typo3-core-sa-2024-002) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8hs1-4esc-7qac
Aliases: 2019-05-07-5 |
Information Disclosure in User Authentication. |
Affected by 0 other vulnerabilities. |
|
VCID-8rqv-y2gn-6yd1
Aliases: GHSA-p2h4-7fp3-cmh8 |
TYPO3 Disclosure of Information about Installed Extensions It has been discovered that mechanisms used for configuration of RequireJS package loading are susceptible to information disclosure. This way a potential attack can retrieve additional information about installed system and third party extensions. |
Affected by 0 other vulnerabilities. |
|
VCID-8u66-mv4d-zbd4
Aliases: 2019-01-22-6 |
Cross-site Scripting Cross-Site Scripting in Form Framework. |
Affected by 0 other vulnerabilities. |
|
VCID-969f-fsfs-23e1
Aliases: GHSA-6xwf-7rfm-4gwc |
TYPO3 Cross-Site Scripting in Filelist Module It has been discovered that the output table listing in the “Files” backend module is vulnerable to cross-site scripting when a file extension contains malicious sequences. Access to the file system of the server - either directly or through synchronization - is required to exploit the vulnerability. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-a9kp-9ews-e3b1
Aliases: GHSA-82vp-jr39-4j2j |
TYPO3 Security Misconfiguration in Frontend Session Handling It has been discovered session data of properly authenticated and logged in frontend users is kept and transformed into an anonymous user session during the logout process. This way the next user using the same client application gains access to previous session data. |
Affected by 0 other vulnerabilities. |
|
VCID-aj9w-bguk-9yek
Aliases: 2019-06-25-5 |
Insecure Deserialization in TYPO3 CMS. |
Affected by 0 other vulnerabilities. |
|
VCID-azgc-c9tj-bfd7
Aliases: 2019-06-25-6 |
Deserialization of Untrusted Data Possible deserialization side-effects in `symfony/cache`. |
Affected by 0 other vulnerabilities. |
|
VCID-b6fq-n6qz-wbgb
Aliases: CVE-2024-34358 GHSA-36g8-62qv-5957 |
TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController ### Problem The `ShowImageController` (_eID tx_cms_showpic_) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. ### Solution Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described. #### ℹ️ **Strong security defaults - Manual actions required** The `frame` HTTP query parameter is now ignored, since it could not be used by core APIs. The new feature flag `security.frontend.allowInsecureFrameOptionInShowImageController` – which is disabled per default – can be used to reactivate the previous behavior. ### Credits Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team members Benjamin Mack and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-010](https://typo3.org/security/advisory/typo3-core-sa-2024-010) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bbk3-1g7g-akdv
Aliases: CVE-2020-15098 GHSA-m5vr-3m74-jwxp |
Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (8.2) > * CWE-325, CWE-20, CWE-200, CWE-502 ### Problem It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below. * [TYPO3-CORE-SA-2020-007](https://typo3.org/security/advisory/typo3-core-sa-2020-007), [CVE-2020-15099](https://nvd.nist.gov/vuln/detail/CVE-2020-15099): Potential Privilege Escalation + the database server used for a TYPO3 installation must be accessible for an attacker (either via internet or shared hosting network) + `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (7.5, high) * [TYPO3-CORE-SA-2016-013](https://typo3.org/security/advisory/typo3-core-sa-2016-013), [CVE-2016-5091](https://nvd.nist.gov/vuln/detail/CVE-2016-5091): Insecure Deserialization & Remote Code Execution + an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation + `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (9.1, critical) The overall severity of this vulnerability is **high (8.2)** based on mentioned attack chains and the requirement of having a valid backend user session (authenticated). ### Solution Update to TYPO3 versions 9.5.20 or 10.4.6 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2020-008](https://typo3.org/security/advisory/typo3-core-sa-2020-008) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bf43-tfbv-6uef
Aliases: GHSA-wvvp-jwf5-qcpc |
TYPO3 Information Disclosure in Page Tree It has been discovered backend users not having read access to specific pages still could see them in the page tree which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-bvjs-f141-sfc7
Aliases: 2019-06-25-1 |
Information Disclosure in Backend User Interface. |
Affected by 0 other vulnerabilities. |
|
VCID-cpa8-x668-5qgb
Aliases: GHSA-x428-565f-8xj2 |
TYPO3 Arbitrary Code Execution and Cross-Site Scripting in Backend API Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings. A valid backend user account having access to modify values for fields `pages.TSconfig` and `pages.tsconfig_includes` is needed in order to exploit this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-cvpr-b5np-6bcv
Aliases: 2018-07-12-1 |
Improper Authentication Authentication Bypass in TYPO3 CMS. |
Affected by 0 other vulnerabilities. |
|
VCID-cwcg-nskg-4ycj
Aliases: CVE-2020-15099 GHSA-3x94-fv5h-5q2c |
Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (7.5) > * CWE-20, CWE-200 ### Problem In case an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal _encryptionKey_ was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch _typo3conf/LocalConfiguration.php_ which again contains the _encryptionKey_ as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows to completely retrieve, manipulate or delete database contents. This includes creating an administration user account - which can be used to trigger remote code execution by injecting custom extensions. ### Solution Update to TYPO3 versions 9.5.20 or 10.4.6 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2020-007](https://typo3.org/security/advisory/typo3-core-sa-2020-007) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-d5cf-nhec-auab
Aliases: GHSA-wj85-rg5g-v8jm |
TYPO3 Information Disclosure in User Authentication It has been discovered that login failures have been logged on the default stream with log level "warning" including plain-text user credentials. |
Affected by 0 other vulnerabilities. |
|
VCID-dfng-qmn8-jyc5
Aliases: 2019-01-22-2 |
Security Misconfiguration for Backend User Accounts. |
Affected by 0 other vulnerabilities. |
|
VCID-dkmy-bwds-s7f4
Aliases: 2019-05-07-1 |
Cross-site Scripting Cross-Site Scripting in Fluid Engine. |
Affected by 0 other vulnerabilities. |
|
VCID-dybf-xk32-pkdg
Aliases: CVE-2020-15241 GHSA-7733-hjv6-4h47 |
Cross-Site Scripting in ternary conditional operator > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C`(5.0) > * CWE-79 --- :information_source: This vulnerability has been fixed in May 2019 already, CVE and GHSA were assigned later in October 2020 --- ### Problem It has been discovered that the Fluid Engine (package `typo3fluid/fluid`) is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like the following. ``` {showFullName ? fullName : defaultValue} ``` ### Solution Update to versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 of this `typo3fluid/fluid` package that fix the problem described. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) releases: * TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.5) * TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1) ### Credits Thanks to Bill Dagou who reported this issue and to TYPO3 core merger Claus Due who fixed the issue. ### References * [TYPO3-CORE-SA-2019-013](https://typo3.org/security/advisory/typo3-core-sa-2019-013) |
Affected by 0 other vulnerabilities. |
|
VCID-e3gy-22s1-huhc
Aliases: 2019-01-22-1 |
Information Disclosure of Installed Extensions. |
Affected by 0 other vulnerabilities. |
|
VCID-ejc9-8p24-9bfw
Aliases: CVE-2020-11067 GHSA-2wj9-434x-9hvp |
Insecure Deserialization in Backend User Settings in TYPO3 CMS It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-005 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-evyj-ctem-nffy
Aliases: CVE-2024-25119 GHSA-h47m-3f78-qp9g |
TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key ### Problem The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-004](https://typo3.org/security/advisory/typo3-core-sa-2024-004) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-f9e5-am8t-j7gc
Aliases: CVE-2019-11832 GHSA-3w4h-r27h-4r2w |
TYPO3 Image Processing susceptible to Code Execution TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 is susceptible to remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick. For a successful exploit, the GhostScript binary `gs` must be available on the server system. |
Affected by 0 other vulnerabilities. |
|
VCID-fbxf-4gpp-4ff9
Aliases: CVE-2022-31048 GHSA-3r95-23jp-mhvg |
Cross-Site Scripting in TYPO3's Form Framework > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Gabe Troyan who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2022-003](https://typo3.org/security/advisory/typo3-core-sa-2022-003) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fdsz-4q4m-eqgq
Aliases: GHSA-4459-qrcc-vfcf |
TYPO3 Cross-Site Scripting in Form Framework Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting. |
Affected by 0 other vulnerabilities. |
|
VCID-fj4s-fcy4-2fcj
Aliases: 2018-12-11-1 |
Cross-site Scripting Cross-Site Scripting in Online Media Asset Rendering. |
Affected by 0 other vulnerabilities. |
|
VCID-g1yv-sk44-n3fu
Aliases: CVE-2019-10912 GHSA-w2fr-65vp-mxw3 |
Deserialization of untrusted data in Symfony In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge. |
Affected by 0 other vulnerabilities. |
|
VCID-gjpz-dm25-wbej
Aliases: GHSA-gqqf-g5r7-84vf |
TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) ### Problem Due to a parsing issue in upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://github.com/TYPO3/html-sanitizer). ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-011](https://typo3.org/security/advisory/typo3-core-sa-2022-011) * [GHSA-47m6-46mj-p235](https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gqbq-47a9-7ygk
Aliases: GHSA-5h5v-m596-r6rf |
TYPO3 Possible Insecure Deserialization in Extbase Request Handling It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized. However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized. Requirements for successfully exploiting this vulnerability (all of the following): - rendering at least one Extbase plugin in the frontend - encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file) |
Affected by 0 other vulnerabilities. |
|
VCID-hrjb-bbbx-1kbq
Aliases: 2018-12-11-5 |
Information Disclosure in Install Tool. |
Affected by 0 other vulnerabilities. |
|
VCID-jcjk-1u7e-vbez
Aliases: CVE-2024-25118 GHSA-38r2-5695-334w |
TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords ### Problem Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to the TYPO3 framework merger Christian Kuhn and external security researchers Maximilian Beckmann, Klaus-Günther Schmidt who reported this issue, and TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2024-003](https://typo3.org/security/advisory/typo3-core-sa-2024-003) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jzqt-aujy-n3gw
Aliases: 2018-07-12-4 |
Insecure Deserialization in TYPO3 CMS. |
Affected by 0 other vulnerabilities. |
|
VCID-kfrr-f48y-tkb3
Aliases: GHSA-rv8r-8mh5-5376 |
TYPO3 Information Disclosure in Backend User Interface The element information component used to display properties of a certain record is susceptible to information disclosure. The list of references from or to the record is not properly checked for the backend user’s permissions. A valid backend user account is needed in order to exploit this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-kh9n-kuvd-pbat
Aliases: CVE-2022-23501 GHSA-jfp7-79g7-89rf |
TYPO3 CMS vulnerable to Weak Authentication in Frontend Login ### Problem Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-013](https://typo3.org/security/advisory/typo3-core-sa-2022-013) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ks2k-ehk8-nqbm
Aliases: CVE-2021-32669 GHSA-rgcg-28xm-8mmw |
Cross-Site Scripting in Backend Grid View ### Problem Failing to properly encode settings for _backend layouts_, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue. |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-kugm-f7sk-vub9
Aliases: GHSA-rxc9-f2x6-qh4w |
TYPO3 Security Misconfiguration for Backend User Accounts When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following: - account contains empty login credentials (username and/or password) - account is incomplete and contains weak credentials (username and/or password) Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations. This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges. |
Affected by 0 other vulnerabilities. |
|
VCID-n7ha-dtwq-xqf9
Aliases: 2018-07-12-2 |
Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS. |
Affected by 0 other vulnerabilities. |
|
VCID-nz3y-ncy4-7kdm
Aliases: CVE-2020-11066 GHSA-2rxh-h6h9-qrqc |
Class destructors causing side-effects when being unserialized in TYPO3 CMS Calling unserialize() on malicious user-submitted content can result in the following scenarios: - trigger deletion of arbitrary directory in file system (if writable for web server) - trigger message submission via email using identity of web site (mail relay) Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-004 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-p778-sd22-dfea
Aliases: GHSA-g4c9-qfvw-fmr4 |
TYPO3 Cross-Site Scripting in Backend Modal Component Failing to properly encode user input, notifications shown in modal windows in the TYPO3 backend are vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-pe6b-ygxy-kqes
Aliases: 2019-01-22-4 |
Cross-site Scripting Cross-Site Scripting in Fluid `ViewHelpers`. |
Affected by 0 other vulnerabilities. |
|
VCID-pn6v-bye1-33fu
Aliases: CVE-2022-23500 GHSA-8c28-5mp7-v24h |
TYPO3 CMS vulnerable to Denial of Service in Page Error Handling ### Problem Requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This vulnerability is very similar, but not identical, to the one described in [TYPO3-CORE-SA-2021-005](https://typo3.org/security/advisory/typo3-core-sa-2021-005) (CVE-2021-21359). ### Solution Update to TYPO3 versions 9.5.38 ELTS, 10.4.33 or 11.5.20 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-012](https://typo3.org/security/advisory/typo3-core-sa-2022-012) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-pwe8-razn-buae
Aliases: CVE-2018-17960 GHSA-g68x-vvqq-pvw3 |
Ckeditor XSS Vulnerability CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. It was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, it is recommended to upgrade to the latest editor version. |
Affected by 0 other vulnerabilities. |
|
VCID-q2ch-qd6x-vqeu
Aliases: CVE-2022-31047 GHSA-fh99-4pgr-8j99 |
Insertion of Sensitive Information into Log File in typo3/cms-core > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace. ### Solution Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Marco Huber who reported this issue and to TYPO3 security member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2022-002](https://typo3.org/security/advisory/typo3-core-sa-2022-002) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q765-aqau-8feb
Aliases: CVE-2020-11065 GHSA-4j77-gg36-9864 |
Cross-Site Scripting in TYPO3 CMS Link Handling It has been discovered that link tags generated by `typolink` functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly. Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-003 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-r9ct-7gds-vkg3
Aliases: GHSA-xmgr-jff3-fcfv |
TYPO3 Security Misconfiguration in User Session Handling When users change their password existing sessions for that particular user account are not revoked. A valid backend or frontend user account is required in order to make use of this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-r9mh-kcss-63ac
Aliases: CVE-2020-11064 GHSA-43gj-mj2w-wh46 |
Cross-Site Scripting in TYPO3 CMS Form Engine In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML `placeholder` attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-002 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-r9yp-177t-efc4
Aliases: 2019-01-22-7 |
Code Injection Arbitrary Code Execution via File List Module. |
Affected by 0 other vulnerabilities. |
|
VCID-rep9-2rxn-gfee
Aliases: 2019-05-07-3 |
Code Injection Possible Arbitrary Code Execution in Image Processing. |
Affected by 0 other vulnerabilities. |
|
VCID-rmnv-emnu-6bfy
Aliases: CVE-2021-32767 GHSA-34fr-fhqr-7235 |
Information Disclosure in User Authentication > ### Meta > * CVSS: `AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the _default_ configuration. ### Solution Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Ingo Schmitt who reported this issue, and to TYPO3 core & security team member Benni Mack who fixed the issue. ### References * [TYPO3-CORE-SA-2021-012](https://typo3.org/security/advisory/typo3-core-sa-2021-012) |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-t7b2-114h-ekaw
Aliases: 2019-06-25-2 |
Cross-site Scripting Cross-Site Scripting in Link Handling. |
Affected by 0 other vulnerabilities. |
|
VCID-tbp9-2rg8-u7bk
Aliases: 2019-06-25-4 |
Code Injection Arbitrary Code Execution and Cross-Site Scripting in Backend API. |
Affected by 0 other vulnerabilities. |
|
VCID-tfey-6228-tybz
Aliases: 2019-01-22-5 |
Cross-site Scripting Cross-Site Scripting in Bootstrap CSS toolkit. |
Affected by 0 other vulnerabilities. |
|
VCID-the9-7p23-q7ac
Aliases: GHSA-96jg-pmc4-cx39 |
TYPO3 CMS Insecure Deserialization It has been discovered that the Form Framework (system extension `form`) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package `yaml`, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting `yaml.decode_php` enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation). |
Affected by 0 other vulnerabilities. |
|
VCID-thjz-e86b-n3a7
Aliases: CVE-2019-12747 GHSA-86hp-xrhj-fhpq |
Typo3 Vulnerable to Insecure Deserialization TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. |
Affected by 0 other vulnerabilities. |
|
VCID-tvq8-qbwc-qkfs
Aliases: CVE-2021-32768 GHSA-c5c9-8c6m-727v |
Cross-Site Scripting via Rich-Text Content > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC` (5.7) ### Problem Failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality _[HTMLparser](https://docs.typo3.org/m/typo3/reference-typoscript/10.4/en-us/Functions/Htmlparser.html)_ do not consider all potentially malicious HTML tag & attribute combinations per default. In addition, the lack of comprehensive default node configuration for rich-text fields in the backend user interface fosters this malfunction. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. ### Solution Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described above. Custom package _[typo3/html-sanitizer](https://github.com/TYPO3/html-sanitizer)_ - based on allow-lists only - takes care of sanitizing potentially malicious markup. The default behavior is based on safe and commonly used markup - however, this can be extended or restricted further in case it is necessary for individual scenarios. During the frontend rendering process, sanitization is applied to the default TypoScript path `lib.parseFunc`, which is implicitly used by the Fluid view-helper instruction `f:format.html`. Rich-text data persisted using the backend user interface is sanitized as well. Implementation details are explained in corresponding [ChangeLog documentation](https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.html). ### Credits Thanks to Benjamin Stiber, Gert-Jan Jansma, Gábor Ács-Kurucz, Alexander Kellner, Richie Lee, Nina Rösch who reported this issue, and to TYPO3 security team member Oliver Hader, as well as TYPO3 contributor Susanne Moog who fixed the issue. ### References * [TYPO3-CORE-SA-2021-013](https://typo3.org/security/advisory/typo3-core-sa-2021-013) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-u34g-yks8-hbay
Aliases: CVE-2018-14041 GHSA-pj7m-g53m-7638 |
Bootstrap Cross-site Scripting vulnerability In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042. |
Affected by 0 other vulnerabilities. |
|
VCID-u3es-5tz4-ybfc
Aliases: 2019-06-25-3 |
Security Misconfiguration in Frontend Session Handling. |
Affected by 0 other vulnerabilities. |
|
VCID-u89a-9jv7-bkhu
Aliases: CVE-2022-31050 GHSA-wwjw-r3gj-39fq |
Insufficient Session Expiration in TYPO3's Admin Tool > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C` (5.6) ### Problem Admin Tool sessions initiated via the TYPO3 backend user interface have not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. ### Solution Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Kien Hoang who reported this issue and to TYPO3 framework merger Ralf Zimmermann and TYPO3 security member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-005](https://typo3.org/security/advisory/typo3-core-sa-2022-005) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-u89w-wxx8-27g1
Aliases: 2019-06-25-7 |
Improper Access Control Broken Access Control in Import Module. |
Affected by 0 other vulnerabilities. |
|
VCID-u8we-bkyu-83b8
Aliases: CVE-2022-23503 GHSA-c5wx-6c2c-f7rm |
TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework ### Problem Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item (known as [`formDefinitionOverrides`](https://docs.typo3.org/c/typo3/cms-form/main/en-us/I/Concepts/FrontendRendering/Index.html#form-element-properties)) and a valid backend user account with access to the form module are needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-015](https://typo3.org/security/advisory/typo3-core-sa-2022-015) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-v92t-hba5-9uec
Aliases: CVE-2021-32667 GHSA-8mq9-fqv8-59wf |
Cross-Site Scripting in Page Preview > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC` (5.0) ### Problem Failing to properly encode _Page TSconfig_ settings, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2021-009](https://typo3.org/security/advisory/typo3-core-sa-2021-009) |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-vecz-7yug-dbcx
Aliases: CVE-2022-23504 GHSA-8w3p-qh3x-6gjr |
TYPO3 CMS vulnerable to Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration > ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C` (5.3) ### Problem Due to the lack of handling user-submitted [YAML placeholder expressions](https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Configuration/Yaml/YamlApi.html#custom-placeholder-processing) in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2022-016](https://typo3.org/security/advisory/typo3-core-sa-2022-016) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-w2hv-ftte-fyd1
Aliases: CVE-2022-36107 GHSA-9c6w-55cp-5w25 |
TYPO3 CMS Stored Cross-Site Scripting via FileDumpController > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.0) ### Problem It has been discovered that the `FileDumpController` (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to Vautia who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-009](https://typo3.org/security/advisory/typo3-core-sa-2022-009) * [Vulnerability Report on huntr.dev](https://huntr.dev/bounties/51e9b709-193c-41fd-bd4a-833aaca0bd4e/) (embargoed +30 days) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wpup-swbs-43dk
Aliases: GHSA-f9hr-7cfq-mjg2 |
TYPO3 Arbitrary Code Execution via File List Module Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability. Derivatives of Debian GNU Linux are handling *.phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages). The file extension *.shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension *.pl and *.cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location). |
Affected by 0 other vulnerabilities. |
|
VCID-wrje-qvf1-2ua8
Aliases: CVE-2024-25121 GHSA-rj3x-wvc6-5j66 |
TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler ### Problem Entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. #### ℹ️ Strong security defaults - Manual actions required When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`. ### Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2024-006](https://typo3.org/security/advisory/typo3-core-sa-2024-006) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-x8ep-x9yv-tuc4
Aliases: GHSA-wg8h-gxf4-g4gh |
TYPO3 Cross-Site Scripting in Online Media Asset Rendering Failing to properly encode user input, online media asset rendering (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-xdgy-veem-vua5
Aliases: GHSA-29m4-mx89-3mjg |
TYPO3 Denial of Service in Online Media Asset Handling Online Media Asset Handling (*.youtube and *.vimeo files) in the TYPO3 backend is vulnerable to denial of service. Putting large files with according file extensions results in high consumption of system resources. This can lead to exceeding limits of the current PHP process which results in a dysfunctional backend component. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-xsd3-6zyc-j7dg
Aliases: 2018-12-11-4 |
Security Misconfiguration in Install Tool Cookie. |
Affected by 0 other vulnerabilities. |
|
VCID-xww9-ktn9-e3ga
Aliases: CVE-2022-36105 GHSA-m392-235j-9r7r |
TYPO3 CMS vulnerable to User Enumeration via Response Timing > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new `MimicServiceInterface::mimicAuthUser`, which simulates corresponding times regular processing would usually take. ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to Vautia who reported this issue and to TYPO3 core & security team members Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-007](https://typo3.org/security/advisory/typo3-core-sa-2022-007) * [Vulnerability Report on huntr.dev](https://huntr.dev/bounties/7d519735-2877-4fad-bd77-accde3e290a7/) (embargoed +30 days) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xxf2-6qn3-x7f8
Aliases: CVE-2022-31046 GHSA-8gmv-9hwg-w89g |
Information Disclosure via Export Module > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (4.0) ### Problem The export functionality fails to limit the result set to allowed columns of a particular database table. This allows authenticated users to export internal details of database tables to which they already have access. ### Solution Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. In order to address this issue, access to mentioned export functionality is completely denied for regular backend users. ℹ️ **Strong security defaults - Manual actions required** Following User TSconfig setting would allow using the export functionality for particular users: ``` options.impexp.enableExportForNonAdminUser = 1 ``` ### Credits Thanks to TYPO3 core merger Lina Wolf who reported this issue and to TYPO3 security member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2022-001](https://typo3.org/security/advisory/typo3-core-sa-2022-001) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y7rf-5x8u-5ff3
Aliases: 2019-01-22-8 |
Cross-site Scripting Cross-Site Scripting in Language Pack Handling. |
Affected by 0 other vulnerabilities. |
|
VCID-yfgj-vux5-sybb
Aliases: 2019-05-07-4 |
Information Disclosure in Page Tree. |
Affected by 0 other vulnerabilities. |
|
VCID-ynrh-kamk-augw
Aliases: GHSA-4ppr-jw47-9qm5 |
TYPO3 Cross-Site Scripting in Link Handling It has been discovered that t3:// URL handling and typolink functionality are vulnerable to cross-site scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering with typolink. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yqf5-djd2-suea
Aliases: CVE-2024-25120 GHSA-wf85-8hx9-gj7c |
TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme ### Problem The TYPO3-specific [`t3://` URI scheme](https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references) could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-005](https://typo3.org/security/advisory/typo3-core-sa-2024-005) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yv3c-d7fb-v3bm
Aliases: GHSA-cc97-g92w-jm65 |
TYPO3 CMS Insecure Deserialization & Arbitrary Code Execution Phar files (formerly known as "PHP archives") can act als self extracting archives which leads to the fact that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt" would be. This way, Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability. In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit has been identified so far. |
Affected by 0 other vulnerabilities. |
|
VCID-z54r-1zba-1bcx
Aliases: GHSA-66c2-7g4p-wx4p |
TYPO3 Information Disclosure in Install Tool The Install Tool exposes the current TYPO3 version number to non-authenticated users. |
Affected by 0 other vulnerabilities. |
|
VCID-zrvx-m37x-v3a1
Aliases: 2018-12-11-8 |
Cross-site Scripting Cross-Site Scripting in CKEditor. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||