| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complex
ity
|
Authen
tication
|
Confiden
tiality
|
Integrity
|
Availa
bility
|
|
1 |
CVE-2012-1086 |
79 |
|
XSS |
2012-02-14 |
2012-02-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the UrlTool (aeurltool) extension 0.1.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
2 |
CVE-2012-1085 |
|
|
+Info |
2012-02-14 |
2012-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the BE User Switch (beuserswitch) extension 0.0.1 for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors. |
|
3 |
CVE-2012-1084 |
79 |
|
XSS |
2012-02-14 |
2012-02-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the BE User Switch (beuserswitch) extension 0.0.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
4 |
CVE-2012-1083 |
352 |
|
CSRF |
2012-02-14 |
2012-02-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Terminal PHP Shell (terminal) extension 0.3.2 and earlier for TYPO3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
5 |
CVE-2012-1082 |
79 |
|
XSS |
2012-02-14 |
2012-02-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Terminal PHP Shell (terminal) extension 0.3.2 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
6 |
CVE-2012-1080 |
79 |
|
XSS |
2012-02-14 |
2012-02-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Euro Calculator (skt_eurocalc) extension 0.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
7 |
CVE-2012-1074 |
89 |
|
Exec Code Sql |
2012-02-14 |
2012-02-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the White Papers (mm_whtppr) extension 0.0.4 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
8 |
CVE-2012-1073 |
79 |
|
XSS |
2012-02-14 |
2012-02-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Category-System (toi_category) extension 0.6.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
9 |
CVE-2012-1072 |
89 |
|
Exec Code Sql |
2012-02-14 |
2012-02-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Category-System (toi_category) extension 0.6.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
10 |
CVE-2011-4614 |
94 |
|
Exec Code File Inclusion |
2012-02-17 |
2012-02-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
PHP remote file inclusion vulnerability in Classes/Controller/AbstractController.php in the workspaces system extension in TYPO3 4.5.x before 4.5.9, 4.6.x before 4.6.2, and development versions of 4.7 allows remote attackers to execute arbitrary PHP code via a URL in the BACK_PATH parameter. |
|
11 |
CVE-2010-5104 |
200 |
|
+Info |
2012-05-21 |
2012-05-22 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query. |
|
12 |
CVE-2010-5103 |
89 |
|
Exec Code Sql |
2012-05-21 |
2012-05-22 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the list module in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via unspecified vectors. |
|
13 |
CVE-2010-5102 |
22 |
|
Dir. Trav. |
2012-05-21 |
2012-05-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Directory traversal vulnerability in mod/tools/em/class.em_unzip.php in the unzip library in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote attackers to write arbitrary files via unspecified vectors. |
|
14 |
CVE-2010-5101 |
22 |
|
Dir. Trav. File Inclusion |
2012-05-21 |
2012-05-22 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Directory traversal vulnerability in the TypoScript setup in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated administrators to read arbitrary files via unspecified vectors related to the "file inclusion functionality." |
|
15 |
CVE-2010-5100 |
79 |
|
XSS |
2012-05-21 |
2012-05-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Install Tool in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
16 |
CVE-2010-5098 |
79 |
|
XSS |
2012-05-21 |
2012-05-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the FORM content object in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
17 |
CVE-2010-5097 |
79 |
|
XSS |
2012-05-21 |
2012-05-22 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the click enlarge functionality in TYPO3 4.3.x before 4.3.9 and 4.4.x before 4.4.5 when the caching framework is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
18 |
CVE-2010-4068 |
20 |
|
|
2010-10-25 |
2010-10-27 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
Unspecified vulnerability in the Extension Manager in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allows remote authenticated administrators to read and possibly modify arbitrary files via a crafted parameter, a different vulnerability than CVE-2010-3714. |
|
19 |
CVE-2010-3717 |
264 |
|
DoS |
2010-10-25 |
2010-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The t3lib_div::validEmail function in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly restrict input to filter_var FILTER_VALIDATE_EMAIL operations in PHP, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string, a related issue to CVE-2010-3710. |
|
20 |
CVE-2010-3716 |
20 |
|
+Priv |
2010-10-25 |
2010-10-27 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
The be_user_creation task in TYPO3 4.2.x before 4.2.15 and 4.3.x before 4.3.7 allows remote authenticated users to gain privileges via a crafted POST request that creates a user account with arbitrary group memberships. |
|
21 |
CVE-2010-3715 |
79 |
|
XSS |
2010-10-25 |
2010-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the RemoveXSS function, and allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (2) the backend. |
|
22 |
CVE-2010-3714 |
264 |
|
|
2010-10-25 |
2010-10-27 |
7.1 |
None |
Remote |
Medium |
Not required |
Complete |
None |
None |
|
The jumpUrl (aka access tracking) implementation in tslib/class.tslib_fe.php in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors. |
|
23 |
CVE-2010-1153 |
94 |
|
Exec Code File Inclusion |
2010-04-20 |
2010-06-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
PHP remote file inclusion vulnerability in the autoloader in TYPO3 4.3.x before 4.3.3 allows remote attackers to execute arbitrary PHP code via a URL in an input field associated with the className variable. |
|
24 |
CVE-2010-1006 |
89 |
|
Exec Code Sql |
2010-03-19 |
2010-03-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Brainstorming extension 0.1.8 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
25 |
CVE-2010-0347 |
79 |
|
XSS |
2010-01-15 |
2011-04-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the VD / Geomap (vd_geomap) extension 0.3.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
26 |
CVE-2010-0346 |
79 |
|
XSS |
2010-01-15 |
2011-04-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Tip many friends (mimi_tipfriends) extension 0.0.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
27 |
CVE-2010-0345 |
79 |
|
XSS |
2010-01-15 |
2010-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Majordomo extension 1.1.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
28 |
CVE-2010-0344 |
89 |
|
Exec Code Sql |
2010-01-15 |
2011-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the zak_store_management extension 1.0.0 and earlier TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
29 |
CVE-2010-0343 |
89 |
|
Exec Code Sql |
2010-01-15 |
2011-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Clan Users List (pb_clanlist) extension 0.0.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
30 |
CVE-2010-0342 |
89 |
|
Exec Code Sql |
2010-01-15 |
2011-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Reports for Job (job_reports) extension 0.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
31 |
CVE-2010-0341 |
89 |
|
Exec Code Sql |
2010-01-15 |
2011-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the BB Simple Jobs (bb_simplejobs) extension 0.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
32 |
CVE-2010-0340 |
89 |
|
Exec Code Sql |
2010-01-15 |
2011-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the MJS Event Pro (mjseventpro) extension 0.2.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
33 |
CVE-2010-0339 |
89 |
|
Exec Code Sql |
2010-01-15 |
2011-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the User Links (vm19_userlinks) extension 0.1.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
34 |
CVE-2010-0338 |
89 |
|
Exec Code Sql |
2010-01-15 |
2011-02-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the TT_Products editor (ttpedit) extension 0.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
35 |
CVE-2010-0337 |
89 |
|
Exec Code Sql |
2010-01-15 |
2011-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the tt_news Mail alert (dl3_tt_news_alerts) extension 0.2.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
36 |
CVE-2010-0336 |
|
|
+Info |
2010-01-15 |
2011-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the kiddog_mysqldumper (kiddog_mysqldumper) extension 0.0.3 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors. |
|
37 |
CVE-2010-0286 |
|
|
Bypass |
2010-02-22 |
2010-03-04 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in the OpenID Identity Authentication extension in TYPO3 4.3.0 allows remote attackers to bypass authentication and gain access to a backend user account via unknown attack vectors in which both the attacker and victim have an OpenID provider that discards identities during authentication. |
|
38 |
CVE-2009-4969 |
89 |
|
Exec Code Sql |
2010-07-28 |
2010-07-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Solidbase Bannermanagement (SBbanner) extension 1.0.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
39 |
CVE-2009-4963 |
79 |
|
XSS |
2010-07-28 |
2010-07-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Commerce extension before 0.9.9 for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
40 |
CVE-2009-4855 |
89 |
1
|
Exec Code Sql |
2010-05-11 |
2010-07-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** SQL injection vulnerability in index.php in TYPO3 4.0 allows remote attackers to execute arbitrary SQL commands via the showUid parameter. NOTE: the TYPO3 Security Team disputes this report, stating that "there is no such vulnerability... The showUid parameter is generally used in third-party TYPO3 extensions - not in TYPO3 Core." |
|
41 |
CVE-2009-4740 |
22 |
|
Dir. Trav. |
2010-03-26 |
2010-03-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in the Webesse E-Card (ws_ecard) extension 1.0.2 and earlier for TYPO3 has unspecified impact and remote attack vectors. |
|
42 |
CVE-2009-4704 |
|
|
+Info |
2010-03-15 |
2010-03-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the Webesse E-Card (ws_ecard) extension 1.0.2 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors. |
|
43 |
CVE-2009-4703 |
89 |
|
Exec Code Sql |
2010-03-15 |
2010-03-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Webesse Image Gallery (ws_gallery) extension 1.0.4 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
44 |
CVE-2009-4392 |
89 |
|
Exec Code Sql |
2009-12-22 |
2010-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the XDS Staff List (xds_staff) extension 0.0.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
45 |
CVE-2009-3636 |
79 |
|
XSS |
2009-11-02 |
2009-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. |
|
46 |
CVE-2009-3635 |
287 |
|
|
2009-11-02 |
2009-11-03 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential. |
|
47 |
CVE-2009-3634 |
79 |
|
XSS |
2009-11-02 |
2009-11-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Frontend Login Box (aka felogin) subcomponent in TYPO3 4.2.0 through 4.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. |
|
48 |
CVE-2009-3633 |
352 |
|
XSS |
2009-11-02 |
2009-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm. |
|
49 |
CVE-2009-3632 |
89 |
|
Exec Code Sql |
2009-11-02 |
2009-11-03 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to execute arbitrary SQL commands via unspecified parameters. |
|
50 |
CVE-2009-3631 |
94 |
|
Exec Code |
2009-11-02 |
2009-11-03 |
8.5 |
None |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename. |
