VulnerableCode Package Details - pkg:composer/typo3/cms@9.5.7

Search for packages

Vulnerability	Summary	Fixed by
VCID-87g8-zcww-p7bm Aliases: CVE-2019-12748 GHSA-r6fv-56gp-j3r4	Typo3 Cross-Site Scripting in Link Handling TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.	9.5.8 Affected by 0 other vulnerabilities.
VCID-thjz-e86b-n3a7 Aliases: CVE-2019-12747 GHSA-86hp-xrhj-fhpq	Typo3 Vulnerable to Insecure Deserialization TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.	9.5.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-87g8-zcww-p7bm
Aliases:
CVE-2019-12748
GHSA-r6fv-56gp-j3r4

Typo3 Cross-Site Scripting in Link Handling TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.

9.5.8
Affected by 0 other vulnerabilities.

VCID-thjz-e86b-n3a7
Aliases:
CVE-2019-12747
GHSA-86hp-xrhj-fhpq

Typo3 Vulnerable to Insecure Deserialization TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.

9.5.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-dybf-xk32-pkdg	Cross-Site Scripting in ternary conditional operator > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C`(5.0) > * CWE-79 --- :information_source:  This vulnerability has been fixed in May 2019 already, CVE and GHSA were assigned later in October 2020 --- ### Problem It has been discovered that the Fluid Engine (package `typo3fluid/fluid`) is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like the following. ``` {showFullName ? fullName : defaultValue} ``` ### Solution Update to versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 of this `typo3fluid/fluid` package that fix the problem described. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) releases: * TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.5) * TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1) ### Credits Thanks to Bill Dagou who reported this issue and to TYPO3 core merger Claus Due who fixed the issue. ### References * [TYPO3-CORE-SA-2019-013](https://typo3.org/security/advisory/typo3-core-sa-2019-013)	CVE-2020-15241 GHSA-7733-hjv6-4h47

Vulnerability

Summary

Aliases

VCID-dybf-xk32-pkdg

Cross-Site Scripting in ternary conditional operator > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C`(5.0) > * CWE-79 --- :information_source:  This vulnerability has been fixed in May 2019 already, CVE and GHSA were assigned later in October 2020 --- ### Problem It has been discovered that the Fluid Engine (package `typo3fluid/fluid`) is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like the following. ``` {showFullName ? fullName : defaultValue} ``` ### Solution Update to versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 of this `typo3fluid/fluid` package that fix the problem described. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) releases: * TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.5) * TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1) ### Credits Thanks to Bill Dagou who reported this issue and to TYPO3 core merger Claus Due who fixed the issue. ### References * [TYPO3-CORE-SA-2019-013](https://typo3.org/security/advisory/typo3-core-sa-2019-013)

CVE-2020-15241
GHSA-7733-hjv6-4h47

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T13:55:45.678297+00:00	GitLab Importer	Fixing	VCID-dybf-xk32-pkdg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2020-15241.yml	36.1.3
2025-07-01T18:11:43.471612+00:00	GitLab Importer	Affected by	VCID-87g8-zcww-p7bm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2019-12748.yml	36.1.3
2025-07-01T18:11:43.440097+00:00	GitLab Importer	Affected by	VCID-thjz-e86b-n3a7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2019-12747.yml	36.1.3