VulnerableCode Package Details - pkg:composer/typo3/cms@10.4.17

Search for packages

Vulnerability	Summary	Fixed by
VCID-7vrs-6mah-2fh9 Aliases: CVE-2021-32668 GHSA-6mh3-j5r5-2379	Cross-Site Scripting in Query Generator & Query View > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.5) ### Problem Failing to properly encode error messages, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-010](https://typo3.org/security/advisory/typo3-core-sa-2021-010)	10.4.18 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 11.3.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ks2k-ehk8-nqbm Aliases: CVE-2021-32669 GHSA-rgcg-28xm-8mmw	Cross-Site Scripting in Backend Grid View ### Problem Failing to properly encode settings for _backend layouts_, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue.	10.4.18 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 11.3.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-rmnv-emnu-6bfy Aliases: CVE-2021-32767 GHSA-34fr-fhqr-7235	Information Disclosure in User Authentication > ### Meta > * CVSS: `AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the _default_ configuration. ### Solution Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Ingo Schmitt who reported this issue, and to TYPO3 core & security team member Benni Mack who fixed the issue. ### References * [TYPO3-CORE-SA-2021-012](https://typo3.org/security/advisory/typo3-core-sa-2021-012)	10.4.18 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 11.3.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-v92t-hba5-9uec Aliases: CVE-2021-32667 GHSA-8mq9-fqv8-59wf	Cross-Site Scripting in Page Preview > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC` (5.0) ### Problem Failing to properly encode _Page TSconfig_ settings, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2021-009](https://typo3.org/security/advisory/typo3-core-sa-2021-009)	10.4.18 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 11.3.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-7vrs-6mah-2fh9
Aliases:
CVE-2021-32668
GHSA-6mh3-j5r5-2379

Cross-Site Scripting in Query Generator & Query View > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.5) ### Problem Failing to properly encode error messages, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-010](https://typo3.org/security/advisory/typo3-core-sa-2021-010)

10.4.18
Affected by 1 other vulnerability.

11.3.1
Affected by 1 other vulnerability.

VCID-ks2k-ehk8-nqbm
Aliases:
CVE-2021-32669
GHSA-rgcg-28xm-8mmw

Cross-Site Scripting in Backend Grid View ### Problem Failing to properly encode settings for _backend layouts_, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue.

10.4.18
Affected by 1 other vulnerability.

11.3.1
Affected by 1 other vulnerability.

VCID-rmnv-emnu-6bfy
Aliases:
CVE-2021-32767
GHSA-34fr-fhqr-7235

Information Disclosure in User Authentication > ### Meta > * CVSS: `AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the _default_ configuration. ### Solution Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to Ingo Schmitt who reported this issue, and to TYPO3 core & security team member Benni Mack who fixed the issue. ### References * [TYPO3-CORE-SA-2021-012](https://typo3.org/security/advisory/typo3-core-sa-2021-012)

10.4.18
Affected by 1 other vulnerability.

11.3.1
Affected by 1 other vulnerability.

VCID-v92t-hba5-9uec
Aliases:
CVE-2021-32667
GHSA-8mq9-fqv8-59wf

Cross-Site Scripting in Page Preview > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC` (5.0) ### Problem Failing to properly encode _Page TSconfig_ settings, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 9.5.28, 10.4.18, 11.3.1 that fix the problem described. ### Credits Thanks to TYPO3 core merger Oliver Bartsch who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2021-009](https://typo3.org/security/advisory/typo3-core-sa-2021-009)

10.4.18
Affected by 1 other vulnerability.

11.3.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:11:46.133795+00:00	GitLab Importer	Affected by	VCID-ks2k-ehk8-nqbm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2021-32669.yml	36.1.3
2025-07-01T18:11:46.085997+00:00	GitLab Importer	Affected by	VCID-7vrs-6mah-2fh9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2021-32668.yml	36.1.3
2025-07-01T18:11:45.976432+00:00	GitLab Importer	Affected by	VCID-v92t-hba5-9uec	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2021-32667.yml	36.1.3
2025-07-01T18:11:45.797148+00:00	GitLab Importer	Affected by	VCID-rmnv-emnu-6bfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2021-32767.yml	36.1.3