Typesettercms Typesetter vulnerabilities
14 known vulnerabilities affecting typesettercms/typesetter.
Total CVEs
14
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM10
Vulnerabilities
Page 1 of 1
CVE-2020-25790P3HIGHCVSS 7.2PoC≥ 5.0, ≤ 5.12020-09-19
CVE-2020-25790 [HIGH] CWE-434 CVE-2020-25790: Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php fil
Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2
nvd
CVE-2018-6889P3HIGHCVSS 8.8PoCv5.12018-02-12
CVE-2018-6889 [HIGH] CWE-94 CVE-2018-6889: An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Us
An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction.
nvd
CVE-2018-6888P3HIGHCVSS 8.0PoCv5.12018-02-12
CVE-2018-6888 [HIGH] CWE-352 CVE-2018-6888: An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token.
nvd
CVE-2022-25523P4HIGHCVSS 8.8v5.12022-03-25
CVE-2022-25523 [HIGH] CWE-352 CVE-2022-25523: TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited
TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request.
nvd
CVE-2025-71165P4MEDIUMCVSS 5.4≤ 5.12026-01-14
CVE-2025-71165 [MEDIUM] CWE-79 CVE-2025-71165: Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulne
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input
nvd
CVE-2025-71164P4MEDIUMCVSS 5.4≤ 5.12026-01-14
CVE-2025-71164 [MEDIUM] CWE-79 CVE-2025-71164: Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulne
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing
nvd
CVE-2025-71166P4MEDIUMCVSS 5.4≤ 5.12026-01-14
CVE-2025-71166 [MEDIUM] CWE-79 CVE-2025-71166: Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulne
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted
nvd
CVE-2020-19511P4MEDIUMCVSS 6.1v5.12021-06-21
CVE-2020-19511 [MEDIUM] CWE-79 CVE-2020-19511: Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fiel
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
nvd
CVE-2018-16639P4MEDIUMCVSS 5.4v5.12019-05-13
CVE-2018-16639 [MEDIUM] CWE-79 CVE-2018-16639: Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation.
Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation.
nvd
CVE-2020-35126P4MEDIUMCVSS 4.8≤ 5.12020-12-11
CVE-2020-35126 [MEDIUM] CWE-79 CVE-2020-35126: Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Adm
Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy.
nvd
CVE-2018-20837P4MEDIUMCVSS 4.8v5.12019-05-09
CVE-2018-20837 [MEDIUM] CWE-79 CVE-2018-20837: include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.
include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.
nvd
CVE-2018-16625P4MEDIUMCVSS 4.8v5.12019-05-13
CVE-2018-16625 [MEDIUM] CWE-79 CVE-2018-16625: index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT el
index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.
nvd
CVE-2018-16626P4MEDIUMCVSS 4.8v5.12019-05-13
CVE-2018-16626 [MEDIUM] CWE-79 CVE-2018-16626: index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name.
index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name.
nvd
CVE-2019-20077P4MEDIUMCVSS 4.3v5.12020-01-05
CVE-2019-20077 [MEDIUM] CWE-352 CVE-2019-20077: The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function
The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability.
nvd