Search for packages
Package details: pkg:composer/typo3/cms@9.5.12
purl pkg:composer/typo3/cms@9.5.12
Next non-vulnerable version 9.5.17
Latest non-vulnerable version 12.2.0
Risk 3.1
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-q765-aqau-8feb
Aliases:
CVE-2020-11065
GHSA-4j77-gg36-9864
Cross-Site Scripting in TYPO3 CMS Link Handling It has been discovered that link tags generated by `typolink` functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly. Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-003
9.5.17
Affected by 0 other vulnerabilities.
10.4.2
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (7)
Vulnerability Summary Aliases
VCID-56yk-z25r-nuap TYPO3 Cross-Site Scripting in Filelist Module It has been discovered that the output table listing in the “Files” backend module is vulnerable to cross-site scripting when a file extension contains malicious sequences. Access to the file system of the server - either directly or through synchronization - is required to exploit the vulnerability. GHSA-g7hw-jh4p-75wr
VCID-8mc9-ye3u-c3aj TYPO3 Insecure Deserialization in Query Generator & Query View An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges. CVE-2019-19849
GHSA-rcgc-4xfc-564v
VCID-cxp1-whzb-p7hy TYPO3 Cross-Site Scripting in Form Framework validation handling It has been discovered that the output of field validation errors in the Form Framework is vulnerable to cross-site scripting. GHSA-v8m4-3w37-ghxx
VCID-hg6g-kn76-bfbh TYPO3 Directory Traversal on ZIP extraction An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.) CVE-2019-19848
GHSA-77p4-wfr8-977w
VCID-rk6h-431z-ubbk TYPO3 SQL Injection in low-level Query Generator An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges. CVE-2019-19850
GHSA-59pj-7mjh-4465
VCID-tvtv-cfzc-z3d5 TYPO3 Cross-Site Scripting in Link Handling It has been discovered that `t3://` URL handling and typolink functionality are vulnerable to cross-site scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering with typolink. GHSA-xgmx-j3hv-jh9x
VCID-zhvr-3e6u-2uc6 TYPO3 CMS Possible Insecure Deserialization in Extbase Request Handling It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized. However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized. Requirements for successfully exploiting this vulnerability (all of the following): - rendering at least one Extbase plugin in the frontend - encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file) GHSA-hh95-5xm5-v8v7

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-03T13:56:55.260923+00:00 GitLab Importer Fixing VCID-56yk-z25r-nuap https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-g7hw-jh4p-75wr.yml 36.1.3
2025-07-03T13:56:54.685913+00:00 GitLab Importer Fixing VCID-zhvr-3e6u-2uc6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-hh95-5xm5-v8v7.yml 36.1.3
2025-07-03T13:56:54.656331+00:00 GitLab Importer Fixing VCID-tvtv-cfzc-z3d5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-xgmx-j3hv-jh9x.yml 36.1.3
2025-07-03T13:56:54.530617+00:00 GitLab Importer Fixing VCID-cxp1-whzb-p7hy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/GHSA-v8m4-3w37-ghxx.yml 36.1.3
2025-07-03T13:55:13.979106+00:00 GitLab Importer Affected by VCID-q765-aqau-8feb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2020-11065.yml 36.1.3
2025-07-03T13:54:56.324819+00:00 GitLab Importer Fixing VCID-8mc9-ye3u-c3aj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2019-19849.yml 36.1.3
2025-07-03T13:54:56.115386+00:00 GitLab Importer Fixing VCID-hg6g-kn76-bfbh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2019-19848.yml 36.1.3
2025-07-03T13:54:55.971923+00:00 GitLab Importer Fixing VCID-rk6h-431z-ubbk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2019-19850.yml 36.1.3
2025-07-01T14:35:07.954010+00:00 GHSA Importer Fixing VCID-cxp1-whzb-p7hy https://github.com/advisories/GHSA-v8m4-3w37-ghxx 36.1.3
2025-07-01T14:35:07.855080+00:00 GHSA Importer Fixing VCID-tvtv-cfzc-z3d5 https://github.com/advisories/GHSA-xgmx-j3hv-jh9x 36.1.3
2025-07-01T14:35:07.757362+00:00 GHSA Importer Fixing VCID-56yk-z25r-nuap https://github.com/advisories/GHSA-g7hw-jh4p-75wr 36.1.3
2025-07-01T14:35:07.662006+00:00 GHSA Importer Fixing VCID-zhvr-3e6u-2uc6 https://github.com/advisories/GHSA-hh95-5xm5-v8v7 36.1.3
2025-07-01T12:29:23.825488+00:00 GithubOSV Importer Fixing VCID-rk6h-431z-ubbk https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-59pj-7mjh-4465/GHSA-59pj-7mjh-4465.json 36.1.3
2025-07-01T12:28:50.942199+00:00 GithubOSV Importer Fixing VCID-8mc9-ye3u-c3aj https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rcgc-4xfc-564v/GHSA-rcgc-4xfc-564v.json 36.1.3
2025-07-01T12:26:58.458585+00:00 GithubOSV Importer Fixing VCID-hg6g-kn76-bfbh https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-77p4-wfr8-977w/GHSA-77p4-wfr8-977w.json 36.1.3
2025-07-01T12:11:07.495569+00:00 GithubOSV Importer Fixing VCID-tvtv-cfzc-z3d5 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-xgmx-j3hv-jh9x/GHSA-xgmx-j3hv-jh9x.json 36.1.3
2025-07-01T12:11:07.413957+00:00 GithubOSV Importer Fixing VCID-zhvr-3e6u-2uc6 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-hh95-5xm5-v8v7/GHSA-hh95-5xm5-v8v7.json 36.1.3
2025-07-01T12:11:01.318169+00:00 GithubOSV Importer Fixing VCID-56yk-z25r-nuap https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-g7hw-jh4p-75wr/GHSA-g7hw-jh4p-75wr.json 36.1.3
2025-07-01T12:11:00.457959+00:00 GithubOSV Importer Fixing VCID-cxp1-whzb-p7hy https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v8m4-3w37-ghxx/GHSA-v8m4-3w37-ghxx.json 36.1.3