VulnerableCode Package Details - pkg:composer/typo3/cms-core@9.5.8

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-87g8-zcww-p7bm	Typo3 Cross-Site Scripting in Link Handling TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.	CVE-2019-12748 GHSA-r6fv-56gp-j3r4
VCID-a9kp-9ews-e3b1	TYPO3 Security Misconfiguration in Frontend Session Handling It has been discovered session data of properly authenticated and logged in frontend users is kept and transformed into an anonymous user session during the logout process. This way the next user using the same client application gains access to previous session data.	GHSA-82vp-jr39-4j2j
VCID-aj9w-bguk-9yek	Insecure Deserialization in TYPO3 CMS.	2019-06-25-5
VCID-azgc-c9tj-bfd7	Deserialization of Untrusted Data Possible deserialization side-effects in `symfony/cache`.	2019-06-25-6
VCID-bvjs-f141-sfc7	Information Disclosure in Backend User Interface.	2019-06-25-1
VCID-cpa8-x668-5qgb	TYPO3 Arbitrary Code Execution and Cross-Site Scripting in Backend API Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings. A valid backend user account having access to modify values for fields `pages.TSconfig` and `pages.tsconfig_includes` is needed in order to exploit this vulnerability.	GHSA-x428-565f-8xj2
VCID-g1yv-sk44-n3fu	Deserialization of untrusted data in Symfony In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.	CVE-2019-10912 GHSA-w2fr-65vp-mxw3
VCID-kfrr-f48y-tkb3	TYPO3 Information Disclosure in Backend User Interface The element information component used to display properties of a certain record is susceptible to information disclosure. The list of references from or to the record is not properly checked for the backend user’s permissions. A valid backend user account is needed in order to exploit this vulnerability.	GHSA-rv8r-8mh5-5376
VCID-t7b2-114h-ekaw	Cross-site Scripting Cross-Site Scripting in Link Handling.	2019-06-25-2
VCID-tbp9-2rg8-u7bk	Code Injection Arbitrary Code Execution and Cross-Site Scripting in Backend API.	2019-06-25-4
VCID-thjz-e86b-n3a7	Typo3 Vulnerable to Insecure Deserialization TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.	CVE-2019-12747 GHSA-86hp-xrhj-fhpq
VCID-u3es-5tz4-ybfc	Security Misconfiguration in Frontend Session Handling.	2019-06-25-3
VCID-u89w-wxx8-27g1	Improper Access Control Broken Access Control in Import Module.	2019-06-25-7
VCID-vztt-g631-r7aa	TYPO3 Broken Access Control in Import Module It has been discovered that the Import/Export module is susceptible to broken access control. Regular backend users have access to import functionality which usually only is available to admin users or users having User TSconfig setting options.impexp.enableImportForNonAdminUser explicitly enabled. Database content to be imported however was correctly checked against users’ permissions and not affected. However it was possible to upload files by-passing restrictions of the file abstraction layer (FAL) - however this did not affect executable files which have been correctly secured by fileDenyPattern. Currently the only known vulnerability is to directly inject *.form.yaml files which could be used to trigger the vulnerability of TYPO3-CORE-SA-2018-003 (privilege escalation & SQL injection) - which requires the Form Framework (ext:form) being available on an according website. CVSSv3 scoring is based on this scenario. A valid backend user account is needed in order to exploit this vulnerability.	GHSA-g776-759r-pf6x

Vulnerability

Summary

Aliases

VCID-87g8-zcww-p7bm

Typo3 Cross-Site Scripting in Link Handling TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.

CVE-2019-12748
GHSA-r6fv-56gp-j3r4

VCID-a9kp-9ews-e3b1

TYPO3 Security Misconfiguration in Frontend Session Handling It has been discovered session data of properly authenticated and logged in frontend users is kept and transformed into an anonymous user session during the logout process. This way the next user using the same client application gains access to previous session data.

GHSA-82vp-jr39-4j2j

VCID-aj9w-bguk-9yek

Insecure Deserialization in TYPO3 CMS.

2019-06-25-5

VCID-azgc-c9tj-bfd7

Deserialization of Untrusted Data Possible deserialization side-effects in `symfony/cache`.

2019-06-25-6

VCID-bvjs-f141-sfc7

Information Disclosure in Backend User Interface.

2019-06-25-1

VCID-cpa8-x668-5qgb

TYPO3 Arbitrary Code Execution and Cross-Site Scripting in Backend API Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings. A valid backend user account having access to modify values for fields `pages.TSconfig` and `pages.tsconfig_includes` is needed in order to exploit this vulnerability.

GHSA-x428-565f-8xj2

VCID-g1yv-sk44-n3fu

Deserialization of untrusted data in Symfony In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

CVE-2019-10912
GHSA-w2fr-65vp-mxw3

VCID-kfrr-f48y-tkb3

TYPO3 Information Disclosure in Backend User Interface The element information component used to display properties of a certain record is susceptible to information disclosure. The list of references from or to the record is not properly checked for the backend user’s permissions. A valid backend user account is needed in order to exploit this vulnerability.

GHSA-rv8r-8mh5-5376

VCID-t7b2-114h-ekaw

Cross-site Scripting Cross-Site Scripting in Link Handling.

2019-06-25-2

VCID-tbp9-2rg8-u7bk

Code Injection Arbitrary Code Execution and Cross-Site Scripting in Backend API.

2019-06-25-4

VCID-thjz-e86b-n3a7

Typo3 Vulnerable to Insecure Deserialization TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.

CVE-2019-12747
GHSA-86hp-xrhj-fhpq

VCID-u3es-5tz4-ybfc

Security Misconfiguration in Frontend Session Handling.

2019-06-25-3

VCID-u89w-wxx8-27g1

Improper Access Control Broken Access Control in Import Module.

2019-06-25-7

VCID-vztt-g631-r7aa

TYPO3 Broken Access Control in Import Module It has been discovered that the Import/Export module is susceptible to broken access control. Regular backend users have access to import functionality which usually only is available to admin users or users having User TSconfig setting options.impexp.enableImportForNonAdminUser explicitly enabled. Database content to be imported however was correctly checked against users’ permissions and not affected. However it was possible to upload files by-passing restrictions of the file abstraction layer (FAL) - however this did not affect executable files which have been correctly secured by fileDenyPattern. Currently the only known vulnerability is to directly inject *.form.yaml files which could be used to trigger the vulnerability of TYPO3-CORE-SA-2018-003 (privilege escalation & SQL injection) - which requires the Form Framework (ext:form) being available on an according website. CVSSv3 scoring is based on this scenario. A valid backend user account is needed in order to exploit this vulnerability.

GHSA-g776-759r-pf6x

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:11:42.410151+00:00	GitLab Importer	Fixing	VCID-aj9w-bguk-9yek	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-5.yml	36.1.3
2025-07-01T18:11:42.369311+00:00	GitLab Importer	Fixing	VCID-u3es-5tz4-ybfc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-3.yml	36.1.3
2025-07-01T18:11:42.348218+00:00	GitLab Importer	Fixing	VCID-u89w-wxx8-27g1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-7.yml	36.1.3
2025-07-01T18:11:42.321197+00:00	GitLab Importer	Fixing	VCID-tbp9-2rg8-u7bk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-4.yml	36.1.3
2025-07-01T18:11:42.260060+00:00	GitLab Importer	Fixing	VCID-bvjs-f141-sfc7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-1.yml	36.1.3
2025-07-01T18:11:42.237798+00:00	GitLab Importer	Fixing	VCID-azgc-c9tj-bfd7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-6.yml	36.1.3
2025-07-01T18:11:42.211997+00:00	GitLab Importer	Fixing	VCID-t7b2-114h-ekaw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2019-06-25-2.yml	36.1.3
2025-07-01T14:35:02.437765+00:00	GHSA Importer	Fixing	VCID-cpa8-x668-5qgb	https://github.com/advisories/GHSA-x428-565f-8xj2	36.1.3
2025-07-01T14:35:02.400259+00:00	GHSA Importer	Fixing	VCID-vztt-g631-r7aa	https://github.com/advisories/GHSA-g776-759r-pf6x	36.1.3
2025-07-01T14:35:02.366575+00:00	GHSA Importer	Fixing	VCID-a9kp-9ews-e3b1	https://github.com/advisories/GHSA-82vp-jr39-4j2j	36.1.3
2025-07-01T14:35:02.346512+00:00	GHSA Importer	Fixing	VCID-kfrr-f48y-tkb3	https://github.com/advisories/GHSA-rv8r-8mh5-5376	36.1.3
2025-07-01T14:32:55.891258+00:00	GHSA Importer	Fixing	VCID-thjz-e86b-n3a7	https://github.com/advisories/GHSA-86hp-xrhj-fhpq	36.1.3
2025-07-01T14:32:55.852088+00:00	GHSA Importer	Fixing	VCID-87g8-zcww-p7bm	https://github.com/advisories/GHSA-r6fv-56gp-j3r4	36.1.3
2025-07-01T14:30:03.813163+00:00	GHSA Importer	Fixing	VCID-g1yv-sk44-n3fu	https://github.com/advisories/GHSA-w2fr-65vp-mxw3	36.1.3
2025-07-01T12:30:19.369645+00:00	GithubOSV Importer	Fixing	VCID-87g8-zcww-p7bm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r6fv-56gp-j3r4/GHSA-r6fv-56gp-j3r4.json	36.1.3
2025-07-01T12:26:04.364843+00:00	GithubOSV Importer	Fixing	VCID-thjz-e86b-n3a7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-86hp-xrhj-fhpq/GHSA-86hp-xrhj-fhpq.json	36.1.3
2025-07-01T12:17:02.300008+00:00	GithubOSV Importer	Fixing	VCID-g1yv-sk44-n3fu	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-w2fr-65vp-mxw3/GHSA-w2fr-65vp-mxw3.json	36.1.3
2025-07-01T12:11:36.271429+00:00	GithubOSV Importer	Fixing	VCID-vztt-g631-r7aa	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-g776-759r-pf6x/GHSA-g776-759r-pf6x.json	36.1.3
2025-07-01T12:11:24.876825+00:00	GithubOSV Importer	Fixing	VCID-a9kp-9ews-e3b1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-82vp-jr39-4j2j/GHSA-82vp-jr39-4j2j.json	36.1.3
2025-07-01T12:11:18.379026+00:00	GithubOSV Importer	Fixing	VCID-kfrr-f48y-tkb3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-rv8r-8mh5-5376/GHSA-rv8r-8mh5-5376.json	36.1.3
2025-07-01T12:11:17.897779+00:00	GithubOSV Importer	Fixing	VCID-cpa8-x668-5qgb	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-x428-565f-8xj2/GHSA-x428-565f-8xj2.json	36.1.3