CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Typo3 : Security Vulnerabilities Published In 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-19850 89 Sql 2019-12-17 2019-12-20
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges.
2 CVE-2019-19849 502 2019-12-17 2019-12-23
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges.
3 CVE-2019-19848 22 Dir. Trav. 2019-12-17 2019-12-23
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.)
4 CVE-2019-12748 79 XSS 2019-07-09 2019-07-12
4.3
None Remote Medium Not required None Partial None
TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.
5 CVE-2019-12747 502 2019-07-09 2019-07-12
7.5
None Remote Low Not required Partial Partial Partial
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.
6 CVE-2019-11832 20 Exec Code 2019-05-09 2019-05-13
9.3
None Remote Medium Not required Complete Complete Complete
TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.
7 CVE-2019-11831 22 Dir. Trav. Bypass 2019-05-09 2019-05-25
7.5
None Remote Low Not required Partial Partial Partial
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
8 CVE-2019-11830 502 Bypass 2019-05-09 2019-05-17
7.5
None Remote Low Not required Partial Partial Partial
PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.
9 CVE-2011-4904 20 2019-11-06 2019-11-08
4.0
None Remote Low ??? Partial None None
TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services.
10 CVE-2011-4903 79 XSS 2019-11-06 2019-11-07
4.3
None Remote Medium Not required None Partial None
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function.
11 CVE-2011-4902 20 2019-11-06 2019-11-08
5.5
None Remote Low ??? None Partial Partial
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver.
12 CVE-2011-4901 200 +Info 2019-11-06 2019-11-08
4.0
None Remote Low ??? Partial None None
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database.
13 CVE-2011-4900 200 +Info 2019-11-06 2019-11-07
4.0
None Remote Low ??? Partial None None
TYPO3 before 4.5.4 allows Information Disclosure in the backend.
14 CVE-2011-4632 79 XSS 2019-11-06 2019-11-08
3.5
None Remote Medium ??? None Partial None
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message.
15 CVE-2011-4631 79 XSS 2019-11-06 2019-11-08
3.5
None Remote Medium ??? None Partial None
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the system extension recycler.
16 CVE-2011-4630 79 XSS 2019-11-06 2019-11-08
3.5
None Remote Medium ??? None Partial None
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the browse_links wizard.
17 CVE-2011-4629 79 XSS 2019-11-06 2019-11-08
3.5
None Remote Medium ??? None Partial None
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the admin panel.
18 CVE-2011-4628 287 Bypass 2019-11-06 2019-11-08
7.5
None Remote Low Not required Partial Partial Partial
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted request.
19 CVE-2011-4627 200 +Info 2019-11-06 2019-11-08
4.0
None Remote Low ??? Partial None None
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the backend.
20 CVE-2011-4626 79 XSS 2019-11-06 2019-11-08
4.3
None Remote Medium Not required None Partial None
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the "JSwindow" property of the typolink function.
21 CVE-2011-3583 89 Sql 2019-11-26 2019-12-05
7.5
None Remote Low Not required Partial Partial Partial
It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input.
22 CVE-2010-3674 79 XSS 2019-11-05 2019-11-06
4.3
None Remote Medium Not required None Partial None
TYPO3 before 4.4.1 allows XSS in the frontend search box.
23 CVE-2010-3673 200 +Info 2019-11-05 2019-11-07
5.0
None Remote Low Not required Partial None None
TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API.
24 CVE-2010-3672 79 XSS 2019-11-05 2019-11-07
4.3
None Remote Medium Not required None Partial None
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 allows XSS in the textarea view helper in an extbase extension.
25 CVE-2010-3671 384 2019-11-05 2019-11-08
9.4
None Remote Low Not required Complete Complete None
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.
26 CVE-2010-3670 326 2019-11-05 2019-11-08
5.8
None Remote Medium Not required Partial Partial None
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.
27 CVE-2010-3669 79 XSS 2019-11-04 2019-11-07
4.9
None Remote Medium ??? Partial Partial None
TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS and Open Redirection in the frontend login box.
28 CVE-2010-3668 74 2019-11-04 2019-11-05
5.0
None Remote Low Not required None Partial None
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Header Injection in the secure download feature jumpurl.
29 CVE-2010-3667 20 2019-11-04 2019-11-05
5.0
None Remote Low Not required None Partial None
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Spam Abuse in the native form content element.
30 CVE-2010-3666 330 2019-11-04 2019-11-05
5.0
None Remote Low Not required Partial None None
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function.
31 CVE-2010-3665 79 XSS 2019-11-04 2019-11-05
3.5
None Remote Medium ??? None Partial None
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the Extension Manager.
32 CVE-2010-3664 200 +Info 2019-11-04 2019-11-05
4.0
None Remote Low ??? Partial None None
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.
33 CVE-2010-3663 434 Exec Code 2019-11-04 2019-11-05
6.5
None Remote Low ??? Partial Partial Partial
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.
34 CVE-2010-3662 89 Sql 2019-11-04 2019-11-05
6.5
None Remote Low ??? Partial Partial Partial
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
35 CVE-2010-3661 601 2019-11-01 2019-11-04
5.8
None Remote Medium Not required Partial Partial None
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.
36 CVE-2010-3660 79 XSS 2019-11-01 2019-11-05
3.5
None Remote Medium ??? None Partial None
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.
Total number of vulnerabilities : 36   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.