Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (14)
| Vulnerability |
Summary |
Aliases |
|
VCID-1txn-xjt1-37ha
|
Cross-site Scripting
Cross-Site Scripting in Frontend User Login.
|
2018-12-11-3
|
|
VCID-3j7t-8pse-yyc3
|
TYPO3 Security Misconfiguration in Install Tool Cookie
It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.
|
GHSA-ppvg-hw62-6ph9
|
|
VCID-53bg-1gfq-7bap
|
Cross-site Scripting
Cross-Site Scripting in Backend Modal Component.
|
2018-12-11-2
|
|
VCID-7rsj-1mbz-2bc9
|
TYPO3 Cross-Site Scripting in Frontend User Login
Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile.
Template patterns that are affected are
- ###FEUSER_[fieldName]### using system extension felogin
- <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken)
|
GHSA-8c25-vj2w-p72j
|
|
VCID-7yn7-f2cw-ukfj
|
Uncontrolled Resource Consumption
Denial of Service in Online Media Asset Handling.
|
2018-12-11-6
|
|
VCID-fj4s-fcy4-2fcj
|
Cross-site Scripting
Cross-Site Scripting in Online Media Asset Rendering.
|
2018-12-11-1
|
|
VCID-hrjb-bbbx-1kbq
|
Information Disclosure in Install Tool.
|
2018-12-11-5
|
|
VCID-p778-sd22-dfea
|
TYPO3 Cross-Site Scripting in Backend Modal Component
Failing to properly encode user input, notifications shown in modal windows in the TYPO3 backend are vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.
|
GHSA-g4c9-qfvw-fmr4
|
|
VCID-pwe8-razn-buae
|
Ckeditor XSS Vulnerability
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. It was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, it is recommended to upgrade to the latest editor version.
|
CVE-2018-17960
GHSA-g68x-vvqq-pvw3
|
|
VCID-x8ep-x9yv-tuc4
|
TYPO3 Cross-Site Scripting in Online Media Asset Rendering
Failing to properly encode user input, online media asset rendering (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.
|
GHSA-wg8h-gxf4-g4gh
|
|
VCID-xdgy-veem-vua5
|
TYPO3 Denial of Service in Online Media Asset Handling
Online Media Asset Handling (*.youtube and *.vimeo files) in the TYPO3 backend is vulnerable to denial of service. Putting large files with according file extensions results in high consumption of system resources. This can lead to exceeding limits of the current PHP process which results in a dysfunctional backend component. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.
|
GHSA-29m4-mx89-3mjg
|
|
VCID-xsd3-6zyc-j7dg
|
Security Misconfiguration in Install Tool Cookie.
|
2018-12-11-4
|
|
VCID-z54r-1zba-1bcx
|
TYPO3 Information Disclosure in Install Tool
The Install Tool exposes the current TYPO3 version number to non-authenticated users.
|
GHSA-66c2-7g4p-wx4p
|
|
VCID-zrvx-m37x-v3a1
|
Cross-site Scripting
Cross-Site Scripting in CKEditor.
|
2018-12-11-8
|