VulnerableCode Package Details - pkg:composer/typo3/cms-core@9.3.2

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1xu4-29uk-z3f8	TYPO3 CMS Authentication Bypass vulnerability It has been discovered that TYPO3’s Salted Password system extension (which is a mandatory system component) is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance. In standard TYPO3 core distributions stored passwords using the blowfish hashing algorithm can be overridden when using MD5 as the default hashing algorithm by just knowing a valid username. Per default the Portable PHP hashing algorithm (PHPass) is used which is not vulnerable.	GHSA-x4rj-f7m6-42c3
VCID-2734-1z2d-9ydz	TYPO3 CMS Privilege Escalation and SQL Injection Failing to properly dissociate system related configuration from user generated configuration, the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be modified - this applies to definitions managed using the form editor module as well as direct file upload using the regular file list module. A valid backend user account as well as having system extension form activated are needed in order to exploit this vulnerability.	GHSA-45wj-jv2h-jwrf
VCID-59c6-ews9-cbaf	Privilege Escalation & SQL Injection in TYPO3 CMS.	2018-07-12-3
VCID-cvpr-b5np-6bcv	Improper Authentication Authentication Bypass in TYPO3 CMS.	2018-07-12-1
VCID-jzqt-aujy-n3gw	Insecure Deserialization in TYPO3 CMS.	2018-07-12-4
VCID-n7ha-dtwq-xqf9	Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS.	2018-07-12-2
VCID-yv3c-d7fb-v3bm	TYPO3 CMS Insecure Deserialization & Arbitrary Code Execution Phar files (formerly known as "PHP archives") can act als self extracting archives which leads to the fact that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt" would be. This way, Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability. In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit has been identified so far.	GHSA-cc97-g92w-jm65

Vulnerability

Summary

Aliases

VCID-1xu4-29uk-z3f8

TYPO3 CMS Authentication Bypass vulnerability It has been discovered that TYPO3’s Salted Password system extension (which is a mandatory system component) is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance. In standard TYPO3 core distributions stored passwords using the blowfish hashing algorithm can be overridden when using MD5 as the default hashing algorithm by just knowing a valid username. Per default the Portable PHP hashing algorithm (PHPass) is used which is not vulnerable.

GHSA-x4rj-f7m6-42c3

VCID-2734-1z2d-9ydz

TYPO3 CMS Privilege Escalation and SQL Injection Failing to properly dissociate system related configuration from user generated configuration, the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be modified - this applies to definitions managed using the form editor module as well as direct file upload using the regular file list module. A valid backend user account as well as having system extension form activated are needed in order to exploit this vulnerability.

GHSA-45wj-jv2h-jwrf

VCID-59c6-ews9-cbaf

Privilege Escalation & SQL Injection in TYPO3 CMS.

2018-07-12-3

VCID-cvpr-b5np-6bcv

Improper Authentication Authentication Bypass in TYPO3 CMS.

2018-07-12-1

VCID-jzqt-aujy-n3gw

Insecure Deserialization in TYPO3 CMS.

2018-07-12-4

VCID-n7ha-dtwq-xqf9

Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS.

2018-07-12-2

VCID-yv3c-d7fb-v3bm

TYPO3 CMS Insecure Deserialization & Arbitrary Code Execution Phar files (formerly known as "PHP archives") can act als self extracting archives which leads to the fact that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt" would be. This way, Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability. In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit has been identified so far.

GHSA-cc97-g92w-jm65

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T13:56:49.232197+00:00	GitLab Importer	Fixing	VCID-1xu4-29uk-z3f8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-x4rj-f7m6-42c3.yml	36.1.3
2025-07-03T13:56:48.483150+00:00	GitLab Importer	Fixing	VCID-2734-1z2d-9ydz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-45wj-jv2h-jwrf.yml	36.1.3
2025-07-03T13:56:48.418123+00:00	GitLab Importer	Fixing	VCID-yv3c-d7fb-v3bm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-cc97-g92w-jm65.yml	36.1.3
2025-07-01T18:11:01.996442+00:00	GitLab Importer	Fixing	VCID-cvpr-b5np-6bcv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-1.yml	36.1.3
2025-07-01T18:11:01.631354+00:00	GitLab Importer	Fixing	VCID-59c6-ews9-cbaf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-3.yml	36.1.3
2025-07-01T18:11:01.610210+00:00	GitLab Importer	Fixing	VCID-n7ha-dtwq-xqf9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-2.yml	36.1.3
2025-07-01T18:11:01.420182+00:00	GitLab Importer	Fixing	VCID-jzqt-aujy-n3gw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-4.yml	36.1.3
2025-07-01T14:35:01.657020+00:00	GHSA Importer	Fixing	VCID-2734-1z2d-9ydz	https://github.com/advisories/GHSA-45wj-jv2h-jwrf	36.1.3
2025-07-01T14:35:01.616234+00:00	GHSA Importer	Fixing	VCID-yv3c-d7fb-v3bm	https://github.com/advisories/GHSA-cc97-g92w-jm65	36.1.3
2025-07-01T14:35:01.539502+00:00	GHSA Importer	Fixing	VCID-1xu4-29uk-z3f8	https://github.com/advisories/GHSA-x4rj-f7m6-42c3	36.1.3
2025-07-01T12:11:32.727992+00:00	GithubOSV Importer	Fixing	VCID-1xu4-29uk-z3f8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-x4rj-f7m6-42c3/GHSA-x4rj-f7m6-42c3.json	36.1.3
2025-07-01T12:11:22.591526+00:00	GithubOSV Importer	Fixing	VCID-2734-1z2d-9ydz	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-45wj-jv2h-jwrf/GHSA-45wj-jv2h-jwrf.json	36.1.3
2025-07-01T12:11:18.734203+00:00	GithubOSV Importer	Fixing	VCID-yv3c-d7fb-v3bm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-cc97-g92w-jm65/GHSA-cc97-g92w-jm65.json	36.1.3