Search for packages
| purl | pkg:composer/typo3/cms@6.1.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1k8p-1qw8-vybj
Aliases: GHSA-45xg-4w5x-j429 |
TYPO3 Arbitrary Shell Execution in Swiftmailer library The swiftmailer library in use allows to execute arbitrary shell commands if the "From" header comes from a non-trusted source and no "Return-Path" is configured. Affected are only TYPO3 installation the configuration option ``` $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport'] ``` is set to "sendmail". Installations with the default configuration are not affected. |
Affected by 0 other vulnerabilities. Affected by 100 other vulnerabilities. |
|
VCID-77zk-mttw-7yb5
Aliases: CVE-2014-3943 GHSA-qqh2-h6gw-6x8x |
Typo3 XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters. |
Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-8tx1-99cc-tfcc
Aliases: CVE-2013-7073 GHSA-4rpv-g4gq-rh4m |
TYPO3 vulnerable to Information Disclosure via Content Editing Wizards component The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters. |
Affected by 0 other vulnerabilities. |
|
VCID-9mn3-51g6-zybx
Aliases: GHSA-mxjf-hc9v-xgv2 |
ExtJS JavaScript framework used in TYPO3 vulnerable to Cross-site Scripting Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail. |
Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-c7jx-ey45-judf
Aliases: CVE-2014-3941 GHSA-594h-cx6w-p4jf |
Typo3 Host Header Spoofing Vulnerability TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing." |
Affected by 0 other vulnerabilities. Affected by 104 other vulnerabilities. |
|
VCID-cv1m-r2d7-h3dx
Aliases: CVE-2014-3942 GHSA-55g3-fjwm-w2c8 |
TYPO3 Color Picker Wizard component allows remote authenticated editors to execute arbitrary PHP code The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||