cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges.
Max CVSS
8.8
EPSS Score
0.10%
Published
2019-12-17
Updated
2019-12-23
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.)
Max CVSS
7.2
EPSS Score
0.18%
Published
2019-12-17
Updated
2019-12-23
TYPO3 before 4.4.1 allows XSS in the frontend search box.
Max CVSS
6.1
EPSS Score
0.70%
Published
2019-11-05
Updated
2019-11-06
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 allows XSS in the textarea view helper in an extbase extension.
Max CVSS
6.1
EPSS Score
0.09%
Published
2019-11-05
Updated
2019-11-07
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.
Max CVSS
9.4
EPSS Score
0.21%
Published
2019-11-05
Updated
2019-11-08
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.
Max CVSS
5.8
EPSS Score
0.11%
Published
2019-11-05
Updated
2019-11-08
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Header Injection in the secure download feature jumpurl.
Max CVSS
7.5
EPSS Score
0.09%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Spam Abuse in the native form content element.
Max CVSS
5.3
EPSS Score
0.11%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function.
Max CVSS
5.3
EPSS Score
0.11%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the Extension Manager.
Max CVSS
5.4
EPSS Score
0.06%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.
Max CVSS
6.5
EPSS Score
0.10%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.
Max CVSS
8.8
EPSS Score
0.77%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
Max CVSS
8.8
EPSS Score
0.16%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.
Max CVSS
6.1
EPSS Score
0.10%
Published
2019-11-01
Updated
2019-11-04
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.
Max CVSS
5.4
EPSS Score
0.06%
Published
2019-11-01
Updated
2019-11-05
15 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!