Search for packages
| purl | pkg:composer/typo3/cms@4.5.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1k8p-1qw8-vybj
Aliases: GHSA-45xg-4w5x-j429 |
TYPO3 Arbitrary Shell Execution in Swiftmailer library The swiftmailer library in use allows to execute arbitrary shell commands if the "From" header comes from a non-trusted source and no "Return-Path" is configured. Affected are only TYPO3 installation the configuration option ``` $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport'] ``` is set to "sendmail". Installations with the default configuration are not affected. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 100 other vulnerabilities. |
|
VCID-3yv4-3421-tqf4
Aliases: CVE-2012-1606 GHSA-7wwr-p84q-qr3q |
Typo3 Backend XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6k39-dpuy-8yam
Aliases: CVE-2012-3527 GHSA-m4hw-r893-xh4g |
TYPO3 allows remote authenticated backend users to unserialize arbitrary objects view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)." |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6tb2-9qd8-qyc7
Aliases: CVE-2011-4632 GHSA-h86g-796f-hhfq |
Typo3 XSS Vulnerabilities Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message. |
Affected by 0 other vulnerabilities. |
|
VCID-6yaa-24e9-cubs
Aliases: CVE-2011-4627 GHSA-frf4-5p2c-c3ff |
Typo3 Information Disclosure TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the backend. |
Affected by 0 other vulnerabilities. |
|
VCID-77zk-mttw-7yb5
Aliases: CVE-2014-3943 GHSA-qqh2-h6gw-6x8x |
Typo3 XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-8139-vreu-2kck
Aliases: CVE-2012-3529 GHSA-7gg8-3r6j-5g55 |
Typo3 Backend Configuration XSS Vulnerability The configuration module in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to obtain the encryption key via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8tx1-99cc-tfcc
Aliases: CVE-2013-7073 GHSA-4rpv-g4gq-rh4m |
TYPO3 vulnerable to Information Disclosure via Content Editing Wizards component The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9mn3-51g6-zybx
Aliases: GHSA-mxjf-hc9v-xgv2 |
ExtJS JavaScript framework used in TYPO3 vulnerable to Cross-site Scripting Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-9xxg-zvpz-7yfa
Aliases: CVE-2011-4901 GHSA-8grp-3j5v-543g |
Typo3 Arbitrary Information Disclosure TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database. |
Affected by 0 other vulnerabilities. |
|
VCID-c7jx-ey45-judf
Aliases: CVE-2014-3941 GHSA-594h-cx6w-p4jf |
Typo3 Host Header Spoofing Vulnerability TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing." |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-cu6k-92m3-3bc4
Aliases: CVE-2011-4630 GHSA-29wr-24h5-95r5 |
Typo3 XSS Vulnerability Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the `browse_links` wizard. |
Affected by 0 other vulnerabilities. |
|
VCID-cv1m-r2d7-h3dx
Aliases: CVE-2014-3942 GHSA-55g3-fjwm-w2c8 |
TYPO3 Color Picker Wizard component allows remote authenticated editors to execute arbitrary PHP code The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-e9qd-svur-cfh3
Aliases: CVE-2012-1608 GHSA-w3v6-r62r-fvqh |
Typo3 API XSS Vulnerabilities The `t3lib_div::RemoveXSS` API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable characters. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k14s-n1yr-fqhh
Aliases: CVE-2012-2112 GHSA-qfr3-29w6-hwpg |
Typo3 Exception Handler XSS Cross-site scripting (XSS) vulnerability in the Exception Handler in TYPO3 4.4.x before 4.4.15, 4.5.x before 4.5.15, 4.6.x before 4.6.8, and 4.7 allows remote attackers to inject arbitrary web script or HTML via exception messages. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ntqb-k9na-27f1
Aliases: CVE-2011-4904 GHSA-qf79-34j4-54m6 |
Typo3 Improper Access Control TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services. |
Affected by 0 other vulnerabilities. |
|
VCID-pf2m-q69d-pqgr
Aliases: CVE-2012-6144 GHSA-947m-vgqc-x6v4 |
Typo3 Backend History Module Vulnerable to SQL Injection SQL injection vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-t1k9-3bh1-m7h4
Aliases: CVE-2011-4903 GHSA-q22w-r5qq-v3wf |
Typo3 XSS in RemoveXSS function Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function. |
Affected by 0 other vulnerabilities. |
|
VCID-vqk2-xzjq-rbbn
Aliases: CVE-2012-3530 GHSA-94c2-g68f-9r98 |
Typo3 API XSS Vulnerability Incomplete blacklist vulnerability in the `t3lib_div::quoteJSvalue` API function in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain HTML5 JavaScript events. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wket-pcbe-afe5
Aliases: CVE-2011-4902 GHSA-9vxq-mxw5-mcgp |
Typo3 Arbitrary File Delete TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver. |
Affected by 0 other vulnerabilities. |
|
VCID-y3xv-mm5f-nqb7
Aliases: CVE-2011-3583 GHSA-gx4p-6w86-f8jx |
Typo3 SQL injection due to faulty prepared statements It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input. | There are no reported fixed by versions. |
|
VCID-zb1h-ucdg-qbch
Aliases: CVE-2011-4628 GHSA-79gv-5cgx-x6rx |
Typo3 Authentication Bypass TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted request. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||