Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (14)
| Vulnerability |
Summary |
Aliases |
|
VCID-4sgs-emam-3keh
|
TYPO3 Cross-Site Scripting in Language Pack Handling
Failing to properly encode information from external sources, language pack handling in the install tool is vulnerable to cross-site scripting.
|
GHSA-76r3-m635-p3vc
|
|
VCID-7w5e-uefx-c7cg
|
TYPO3 Cross-Site Scripting in Fluid ViewHelpers
Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting.
|
GHSA-22q7-cg4r-p9mx
|
|
VCID-8rqv-y2gn-6yd1
|
TYPO3 Disclosure of Information about Installed Extensions
It has been discovered that mechanisms used for configuration of RequireJS package loading are susceptible to information disclosure. This way a potential attack can retrieve additional information about installed system and third party extensions.
|
GHSA-p2h4-7fp3-cmh8
|
|
VCID-8u66-mv4d-zbd4
|
Cross-site Scripting
Cross-Site Scripting in Form Framework.
|
2019-01-22-6
|
|
VCID-dfng-qmn8-jyc5
|
Security Misconfiguration for Backend User Accounts.
|
2019-01-22-2
|
|
VCID-e3gy-22s1-huhc
|
Information Disclosure of Installed Extensions.
|
2019-01-22-1
|
|
VCID-fdsz-4q4m-eqgq
|
TYPO3 Cross-Site Scripting in Form Framework
Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.
|
GHSA-4459-qrcc-vfcf
|
|
VCID-kugm-f7sk-vub9
|
TYPO3 Security Misconfiguration for Backend User Accounts
When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following:
- account contains empty login credentials (username and/or password)
- account is incomplete and contains weak credentials (username and/or password)
Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.
This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.
|
GHSA-rxc9-f2x6-qh4w
|
|
VCID-pe6b-ygxy-kqes
|
Cross-site Scripting
Cross-Site Scripting in Fluid `ViewHelpers`.
|
2019-01-22-4
|
|
VCID-r9yp-177t-efc4
|
Code Injection
Arbitrary Code Execution via File List Module.
|
2019-01-22-7
|
|
VCID-tfey-6228-tybz
|
Cross-site Scripting
Cross-Site Scripting in Bootstrap CSS toolkit.
|
2019-01-22-5
|
|
VCID-u34g-yks8-hbay
|
Bootstrap Cross-site Scripting vulnerability
In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.
|
CVE-2018-14041
GHSA-pj7m-g53m-7638
|
|
VCID-wpup-swbs-43dk
|
TYPO3 Arbitrary Code Execution via File List Module
Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability.
Derivatives of Debian GNU Linux are handling *.phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages).
The file extension *.shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension *.pl and *.cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location).
|
GHSA-f9hr-7cfq-mjg2
|
|
VCID-y7rf-5x8u-5ff3
|
Cross-site Scripting
Cross-Site Scripting in Language Pack Handling.
|
2019-01-22-8
|