Search for packages
Package details: pkg:composer/typo3/cms@8.5.0
purl pkg:composer/typo3/cms@8.5.0
Next non-vulnerable version 8.7.5
Latest non-vulnerable version 12.2.0
Risk 4.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-1d1x-7vx6-zbfw
Aliases:
CVE-2017-14251
GHSA-fh4q-hxrw-cjqq
TYPO3 Arbitrary Code Execution Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.
8.7.5
Affected by 0 other vulnerabilities.
VCID-59c6-ews9-cbaf
Aliases:
2018-07-12-3
Privilege Escalation & SQL Injection in TYPO3 CMS.
8.7.17
Affected by 0 other vulnerabilities.
9.3.2
Affected by 0 other vulnerabilities.
VCID-5kf1-bpk8-9bag
Aliases:
GHSA-8h28-f46f-m87h
Insecure Deserialization in TYPO3 CMS It has been discovered that the Form Framework (system extension "form") is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting "yaml.decode_php" enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).
8.7.17
Affected by 0 other vulnerabilities.
9.3.2
Affected by 0 other vulnerabilities.
VCID-jzqt-aujy-n3gw
Aliases:
2018-07-12-4
Insecure Deserialization in TYPO3 CMS.
8.7.17
Affected by 0 other vulnerabilities.
9.3.2
Affected by 0 other vulnerabilities.
VCID-sdkp-ww83-93gx
Aliases:
GHSA-7qwg-fcpw-xg5g
Privilege Escalation & SQL Injection in TYPO3 CMS Failing to properly dissociate system related configuration from user generated configuration, the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be modified - this applies to definitions managed using the form editor module as well as direct file upload using the regular file list module. A valid backend user account as well as having system extension form activated are needed in order to exploit this vulnerability.
8.7.17
Affected by 0 other vulnerabilities.
9.3.2
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-htsn-wq8h-qbgp Code Injection Remote Code Execution in third party library swiftmailer. 2017-01-03-1

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-03T13:56:52.803466+00:00 GitLab Importer Affected by VCID-5kf1-bpk8-9bag https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-8h28-f46f-m87h.yml 36.1.3
2025-07-03T13:56:51.373558+00:00 GitLab Importer Affected by VCID-sdkp-ww83-93gx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-7qwg-fcpw-xg5g.yml 36.1.3
2025-07-01T18:11:01.956045+00:00 GitLab Importer Affected by VCID-jzqt-aujy-n3gw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/2018-07-12-4.yml 36.1.3
2025-07-01T18:11:01.672449+00:00 GitLab Importer Affected by VCID-59c6-ews9-cbaf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/2018-07-12-3.yml 36.1.3
2025-07-01T18:10:30.752708+00:00 GitLab Importer Affected by VCID-1d1x-7vx6-zbfw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2017-14251.yml 36.1.3
2025-07-01T18:10:19.971882+00:00 GitLab Importer Fixing VCID-htsn-wq8h-qbgp https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/2017-01-03-1.yml 36.1.3
2025-07-01T14:35:05.895636+00:00 GHSA Importer Affected by VCID-sdkp-ww83-93gx https://github.com/advisories/GHSA-7qwg-fcpw-xg5g 36.1.3
2025-07-01T14:35:05.777439+00:00 GHSA Importer Affected by VCID-5kf1-bpk8-9bag https://github.com/advisories/GHSA-8h28-f46f-m87h 36.1.3