cpe:2.3:a:typo3:typo3:3.3.x:*:*:*:*:*:*:*
TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.
Max CVSS
6.5
EPSS Score
0.07%
Published
2022-12-14
Updated
2022-12-16
Bootstrap Package is a theme for TYPO3. It has been discovered that rendering content in the website frontend is vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. Users of the extension, who have overwritten the affected templates with custom code must manually apply the security fix. Update to version 7.1.2, 8.0.8, 9.1.4, 10.0.10 or 11.0.3 of the Bootstrap Package that fix the problem described. Updated version are available from the TYPO3 extension manager, Packagist and at https://extensions.typo3.org/extension/download/bootstrap_package/.
Max CVSS
5.4
EPSS Score
0.06%
Published
2021-04-27
Updated
2021-05-07
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges.
Max CVSS
8.8
EPSS Score
0.10%
Published
2019-12-17
Updated
2019-12-23
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.)
Max CVSS
7.2
EPSS Score
0.18%
Published
2019-12-17
Updated
2019-12-23
The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process.
Max CVSS
4.8
EPSS Score
0.08%
Published
2018-04-08
Updated
2018-05-09
Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action.
Max CVSS
8.1
EPSS Score
3.37%
Published
2017-01-23
Updated
2017-01-26
The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.
Max CVSS
3.5
EPSS Score
6.46%
Published
2015-09-16
Updated
2018-10-09
The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash.
Max CVSS
4.0
EPSS Score
0.27%
Published
2014-06-03
Updated
2014-06-04
TYPO3 before 4.4.1 allows XSS in the frontend search box.
Max CVSS
6.1
EPSS Score
0.70%
Published
2019-11-05
Updated
2019-11-06
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 allows XSS in the textarea view helper in an extbase extension.
Max CVSS
6.1
EPSS Score
0.09%
Published
2019-11-05
Updated
2019-11-07
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.
Max CVSS
9.4
EPSS Score
0.21%
Published
2019-11-05
Updated
2019-11-08
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.
Max CVSS
5.8
EPSS Score
0.11%
Published
2019-11-05
Updated
2019-11-08
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Header Injection in the secure download feature jumpurl.
Max CVSS
7.5
EPSS Score
0.09%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Spam Abuse in the native form content element.
Max CVSS
5.3
EPSS Score
0.11%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function.
Max CVSS
5.3
EPSS Score
0.11%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the Extension Manager.
Max CVSS
5.4
EPSS Score
0.06%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.
Max CVSS
6.5
EPSS Score
0.10%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.
Max CVSS
8.8
EPSS Score
0.77%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
Max CVSS
8.8
EPSS Score
0.16%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.
Max CVSS
6.1
EPSS Score
0.10%
Published
2019-11-01
Updated
2019-11-04
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.
Max CVSS
5.4
EPSS Score
0.06%
Published
2019-11-01
Updated
2019-11-05
Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
Max CVSS
4.3
EPSS Score
0.27%
Published
2009-11-02
Updated
2017-08-17
The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.
Max CVSS
6.8
EPSS Score
1.65%
Published
2009-11-02
Updated
2017-08-17
Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm.
Max CVSS
4.3
EPSS Score
0.12%
Published
2009-11-02
Updated
2017-08-17
SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to execute arbitrary SQL commands via unspecified parameters.
Max CVSS
6.5
EPSS Score
0.18%
Published
2009-11-02
Updated
2017-08-17
33 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!