Typo3 Cms-Core vulnerabilities

CVE-2020-11064 [MEDIUM] CWE-79 Cross-Site Scripting in TYPO3 CMS Form Engine Cross-Site Scripting in TYPO3 CMS Form Engine In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML `placeholder` attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. Update to TYPO3 versions 9.5.17 or 10.4.2

CVE-2020-11063 [LOW] CWE-203 Information Disclosure in Password Reset Information Disclosure in Password Reset In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-001

CVE-2019-10912 [HIGH] CWE-502 Deserialization of untrusted data in Symfony Deserialization of untrusted data in Symfony In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

CVE-2018-17960 [MEDIUM] CWE-79 Ckeditor XSS Vulnerability Ckeditor XSS Vulnerability CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. It was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, it is recom

CVE-2018-14041 [MEDIUM] CWE-79 Bootstrap Cross-site Scripting vulnerability Bootstrap Cross-site Scripting vulnerability In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.