VulnerableCode Package Details - pkg:composer/typo3/cms@8.7.23

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-17h4-rww9-93ad	Improper Access Control Broken Access Control in Localization Handling.	2019-01-22-3
VCID-3vjn-rrkb-nbbw	TYPO3 Arbitrary Code Execution via File List Module Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload .phar, .shtml, .pl or .cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability. Derivatives of Debian GNU Linux are handling .phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages). The file extension .shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension .pl and .cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location).	GHSA-8h4m-r4wm-xj7r
VCID-7hee-5tpj-g7ct	TYPO3 Information Disclosure of Installed Extensions It has been discovered that mechanisms used for configuration of RequireJS package loading are susceptible to information disclosure. This way a potential attack can retrieve additional information about installed system and third party extensions.	GHSA-f624-8hfq-5fh3
VCID-8u66-mv4d-zbd4	Cross-site Scripting Cross-Site Scripting in Form Framework.	2019-01-22-6
VCID-dfng-qmn8-jyc5	Security Misconfiguration for Backend User Accounts.	2019-01-22-2
VCID-e3gy-22s1-huhc	Information Disclosure of Installed Extensions.	2019-01-22-1
VCID-g8w9-nj7c-dfa4	TYPO3 Security Misconfiguration for Backend User Accounts When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following: - account contains empty login credentials (username and/or password) - account is incomplete and contains weak credentials (username and/or password) Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations. This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.	GHSA-c5mj-39cf-3pp5
VCID-pe6b-ygxy-kqes	Cross-site Scripting Cross-Site Scripting in Fluid `ViewHelpers`.	2019-01-22-4
VCID-qj2p-m8ce-myb3	TYPO3 Cross-Site Scripting in Fluid ViewHelpers Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting.	GHSA-85ch-44w7-rf32
VCID-r9yp-177t-efc4	Code Injection Arbitrary Code Execution via File List Module.	2019-01-22-7
VCID-smyk-z453-gyag	TYPO3 Broken Access Control in Localization Handling It has been discovered that backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.	GHSA-772m-43f3-hmf8
VCID-tfey-6228-tybz	Cross-site Scripting Cross-Site Scripting in Bootstrap CSS toolkit.	2019-01-22-5
VCID-u34g-yks8-hbay	Bootstrap Cross-site Scripting vulnerability In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.	CVE-2018-14041 GHSA-pj7m-g53m-7638
VCID-yt8r-5b7g-1ueq	TYPO3 Cross-Site Scripting in Form Framework Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.	GHSA-4h5c-5g25-v7fh

Vulnerability

Summary

Aliases

VCID-17h4-rww9-93ad

Improper Access Control Broken Access Control in Localization Handling.

2019-01-22-3

VCID-3vjn-rrkb-nbbw

TYPO3 Arbitrary Code Execution via File List Module Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability. Derivatives of Debian GNU Linux are handling *.phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages). The file extension *.shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension *.pl and *.cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location).

GHSA-8h4m-r4wm-xj7r

VCID-7hee-5tpj-g7ct

TYPO3 Information Disclosure of Installed Extensions It has been discovered that mechanisms used for configuration of RequireJS package loading are susceptible to information disclosure. This way a potential attack can retrieve additional information about installed system and third party extensions.

GHSA-f624-8hfq-5fh3

VCID-8u66-mv4d-zbd4

Cross-site Scripting Cross-Site Scripting in Form Framework.

2019-01-22-6

VCID-dfng-qmn8-jyc5

Security Misconfiguration for Backend User Accounts.

2019-01-22-2

VCID-e3gy-22s1-huhc

Information Disclosure of Installed Extensions.

2019-01-22-1

VCID-g8w9-nj7c-dfa4

TYPO3 Security Misconfiguration for Backend User Accounts When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following: - account contains empty login credentials (username and/or password) - account is incomplete and contains weak credentials (username and/or password) Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations. This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.

GHSA-c5mj-39cf-3pp5

VCID-pe6b-ygxy-kqes

Cross-site Scripting Cross-Site Scripting in Fluid `ViewHelpers`.

2019-01-22-4

VCID-qj2p-m8ce-myb3

TYPO3 Cross-Site Scripting in Fluid ViewHelpers Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting.

GHSA-85ch-44w7-rf32

VCID-r9yp-177t-efc4

Code Injection Arbitrary Code Execution via File List Module.

2019-01-22-7

VCID-smyk-z453-gyag

TYPO3 Broken Access Control in Localization Handling It has been discovered that backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.

GHSA-772m-43f3-hmf8

VCID-tfey-6228-tybz

Cross-site Scripting Cross-Site Scripting in Bootstrap CSS toolkit.

2019-01-22-5

VCID-u34g-yks8-hbay

Bootstrap Cross-site Scripting vulnerability In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.

CVE-2018-14041
GHSA-pj7m-g53m-7638

VCID-yt8r-5b7g-1ueq

TYPO3 Cross-Site Scripting in Form Framework Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.

GHSA-4h5c-5g25-v7fh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T13:56:55.195922+00:00	GitLab Importer	Fixing	VCID-7hee-5tpj-g7ct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-f624-8hfq-5fh3.yml	36.1.3
2025-07-03T13:56:54.967558+00:00	GitLab Importer	Fixing	VCID-yt8r-5b7g-1ueq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-4h5c-5g25-v7fh.yml	36.1.3
2025-07-03T13:56:54.923778+00:00	GitLab Importer	Fixing	VCID-g8w9-nj7c-dfa4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-c5mj-39cf-3pp5.yml	36.1.3
2025-07-03T13:56:54.309500+00:00	GitLab Importer	Fixing	VCID-smyk-z453-gyag	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-772m-43f3-hmf8.yml	36.1.3
2025-07-03T13:56:53.822746+00:00	GitLab Importer	Fixing	VCID-3vjn-rrkb-nbbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-8h4m-r4wm-xj7r.yml	36.1.3
2025-07-03T13:56:53.535532+00:00	GitLab Importer	Fixing	VCID-qj2p-m8ce-myb3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-85ch-44w7-rf32.yml	36.1.3
2025-07-01T18:11:26.489658+00:00	GitLab Importer	Fixing	VCID-dfng-qmn8-jyc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/2019-01-22-2.yml	36.1.3
2025-07-01T18:11:26.415617+00:00	GitLab Importer	Fixing	VCID-r9yp-177t-efc4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/2019-01-22-7.yml	36.1.3
2025-07-01T18:11:26.352398+00:00	GitLab Importer	Fixing	VCID-tfey-6228-tybz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/2019-01-22-5.yml	36.1.3
2025-07-01T18:11:26.312877+00:00	GitLab Importer	Fixing	VCID-17h4-rww9-93ad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/2019-01-22-3.yml	36.1.3
2025-07-01T18:11:26.295990+00:00	GitLab Importer	Fixing	VCID-pe6b-ygxy-kqes	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/2019-01-22-4.yml	36.1.3
2025-07-01T18:11:26.188090+00:00	GitLab Importer	Fixing	VCID-e3gy-22s1-huhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/2019-01-22-1.yml	36.1.3
2025-07-01T18:11:26.144165+00:00	GitLab Importer	Fixing	VCID-8u66-mv4d-zbd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/2019-01-22-6.yml	36.1.3
2025-07-01T18:11:08.542681+00:00	GitLab Importer	Fixing	VCID-u34g-yks8-hbay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2018-14041.yml	36.1.3
2025-07-01T14:35:08.084534+00:00	GHSA Importer	Fixing	VCID-3vjn-rrkb-nbbw	https://github.com/advisories/GHSA-8h4m-r4wm-xj7r	36.1.3
2025-07-01T14:35:08.014868+00:00	GHSA Importer	Fixing	VCID-7hee-5tpj-g7ct	https://github.com/advisories/GHSA-f624-8hfq-5fh3	36.1.3
2025-07-01T14:35:07.933988+00:00	GHSA Importer	Fixing	VCID-yt8r-5b7g-1ueq	https://github.com/advisories/GHSA-4h5c-5g25-v7fh	36.1.3
2025-07-01T14:35:07.896265+00:00	GHSA Importer	Fixing	VCID-g8w9-nj7c-dfa4	https://github.com/advisories/GHSA-c5mj-39cf-3pp5	36.1.3
2025-07-01T14:35:07.793675+00:00	GHSA Importer	Fixing	VCID-smyk-z453-gyag	https://github.com/advisories/GHSA-772m-43f3-hmf8	36.1.3
2025-07-01T14:35:07.699902+00:00	GHSA Importer	Fixing	VCID-qj2p-m8ce-myb3	https://github.com/advisories/GHSA-85ch-44w7-rf32	36.1.3
2025-07-01T14:29:13.141609+00:00	GHSA Importer	Fixing	VCID-u34g-yks8-hbay	https://github.com/advisories/GHSA-pj7m-g53m-7638	36.1.3
2025-07-01T12:21:11.414063+00:00	GithubOSV Importer	Fixing	VCID-u34g-yks8-hbay	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-pj7m-g53m-7638/GHSA-pj7m-g53m-7638.json	36.1.3
2025-07-01T12:11:13.633813+00:00	GithubOSV Importer	Fixing	VCID-qj2p-m8ce-myb3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-85ch-44w7-rf32/GHSA-85ch-44w7-rf32.json	36.1.3
2025-07-01T12:11:11.967976+00:00	GithubOSV Importer	Fixing	VCID-7hee-5tpj-g7ct	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-f624-8hfq-5fh3/GHSA-f624-8hfq-5fh3.json	36.1.3
2025-07-01T12:11:09.443059+00:00	GithubOSV Importer	Fixing	VCID-g8w9-nj7c-dfa4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-c5mj-39cf-3pp5/GHSA-c5mj-39cf-3pp5.json	36.1.3
2025-07-01T12:11:07.049138+00:00	GithubOSV Importer	Fixing	VCID-3vjn-rrkb-nbbw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-8h4m-r4wm-xj7r/GHSA-8h4m-r4wm-xj7r.json	36.1.3
2025-07-01T12:11:02.569299+00:00	GithubOSV Importer	Fixing	VCID-smyk-z453-gyag	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-772m-43f3-hmf8/GHSA-772m-43f3-hmf8.json	36.1.3
2025-07-01T12:10:58.876211+00:00	GithubOSV Importer	Fixing	VCID-yt8r-5b7g-1ueq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-4h5c-5g25-v7fh/GHSA-4h5c-5g25-v7fh.json	36.1.3