Typo3 Cms vulnerabilities
115 known vulnerabilities affecting typo3/cms.
Total CVEs
115
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH28MEDIUM72LOW11
Vulnerabilities
Page 5 of 6
CVE-2022-23499P4MEDIUM≥ 10.0.0, < 10.4.33≥ 11.0.0, < 11.5.20+1 more2022-12-13
CVE-2022-23499 [MEDIUM] CWE-79 TYPO3 HTML Sanitizer vulnerable to Cross-Site Scripting
TYPO3 HTML Sanitizer vulnerable to Cross-Site Scripting
### Problem
Due to a parsing issue in the upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized. This allows bypassing the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://packagist.org/packages/typo3
ghsaosv
CVE-2020-11064P4MEDIUM≥ 10.0.0, < 10.4.2≥ 9.0.0, < 9.5.172020-05-13
CVE-2020-11064 [MEDIUM] CWE-79 Cross-Site Scripting in TYPO3 CMS Form Engine
Cross-Site Scripting in TYPO3 CMS Form Engine
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML `placeholder` attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.
Update to TYPO3 versions 9.5.17 or 10.4.2
ghsaosv
CVE-2015-8755P4MEDIUM≥ 6.2, < 6.2.16≥ 7.0, < 7.6.12022-05-17
CVE-2015-8755 [MEDIUM] CWE-79 Typo3 XSS Vulnerability
Typo3 XSS Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors.
ghsaosv
CVE-2016-4056P4MEDIUM≥ 6.2.0, < 6.2.192022-05-17
CVE-2016-4056 [MEDIUM] CWE-79 TYPO3 Backend component Cross-site scripting (XSS) vulnerability
TYPO3 Backend component Cross-site scripting (XSS) vulnerability
Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers to inject arbitrary web script or HTML via the module parameter when creating a bookmark.
ghsaosv
CVE-2012-6146P4MEDIUM≥ 4.5, < 4.5.21≥ 4.6, < 4.6.14+1 more2022-05-17
CVE-2012-6146 [MEDIUM] CWE-79 Typo3 Backend History Module Vulnerable to XSS
Typo3 Backend History Module Vulnerable to XSS
The Backend History Module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 does not properly restrict access, which allows remote authenticated editors to read the history of arbitrary records via a crafted URL.
ghsaosv
CVE-2011-4903P4MEDIUM≥ 0, < 4.3.12≥ 4.4.0, < 4.4.9+1 more2022-04-22
CVE-2011-4903 [MEDIUM] CWE-79 Typo3 XSS in RemoveXSS function
Typo3 XSS in RemoveXSS function
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function.
ghsaosv
CVE-2019-12748P4MEDIUM≥ 8.0.0, < 8.7.27≥ 9.0.0, < 9.5.82022-05-24
CVE-2019-12748 [MEDIUM] CWE-79 Typo3 Cross-Site Scripting in Link Handling
Typo3 Cross-Site Scripting in Link Handling
TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.
ghsaosv
CVE-2011-4630P4MEDIUM≥ 4.5.0, < 4.5.4≥ 4.4.0, < 4.4.9+1 more2022-04-22
CVE-2011-4630 [MEDIUM] CWE-79 Typo3 XSS Vulnerability
Typo3 XSS Vulnerability
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the `browse_links` wizard.
ghsaosv
CVE-2020-11065P4MEDIUM≥ 10.0.0, < 10.4.2≥ 9.0.0, < 9.5.172020-05-13
CVE-2020-11065 [MEDIUM] CWE-79 Cross-Site Scripting in TYPO3 CMS Link Handling
Cross-Site Scripting in TYPO3 CMS Link Handling
It has been discovered that link tags generated by `typolink` functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly.
Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.
### References
* https://typo3.org/security/advisory/typo3-core-sa-2020-003
ghsaosv
CVE-2012-1608P4MEDIUM≥ 4.4.0, < 4.4.14≥ 4.5.0, < 4.5.14+1 more2022-05-17
CVE-2012-1608 [MEDIUM] CWE-20 Typo3 API XSS Vulnerabilities
Typo3 API XSS Vulnerabilities
The `t3lib_div::RemoveXSS` API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable characters.
ghsaosv
CVE-2005-4875P4HIGH≥ 0, < 3.8.12022-05-01
CVE-2005-4875 [HIGH] CWE-200 TYPO3 Reveals Sensitive Information via Direct Request to `misc/phpcheck/`
TYPO3 Reveals Sensitive Information via Direct Request to `misc/phpcheck/`
TYPO3 3.8.0 and earlier allows remote attackers to obtain sensitive information via a direct request to misc/phpcheck/, which invokes the phpinfo function and prints values of unspecified environment variables.
ghsaosv
CVE-2013-7073P4MEDIUM≥ 4.5.0, < 4.5.32≥ 4.7.0, < 4.7.17+2 more2022-05-17
CVE-2013-7073 [MEDIUM] CWE-200 TYPO3 vulnerable to Information Disclosure via Content Editing Wizards component
TYPO3 vulnerable to Information Disclosure via Content Editing Wizards component
The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters.
ghsaosv
CVE-2011-4632P4MEDIUM≥ 0, < 4.3.12≥ 4.4.0, < 4.4.9+1 more2022-04-22
CVE-2011-4632 [MEDIUM] CWE-79 Typo3 XSS Vulnerabilities
Typo3 XSS Vulnerabilities
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message.
ghsaosv
CVE-2015-8759P4MEDIUM≥ 6.2.0, < 6.2.16≥ 7.0.0, < 7.6.12022-05-17
CVE-2015-8759 [MEDIUM] CWE-79 TYPO3 Cross-site Scripting vulnerability
TYPO3 Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote authenticated editors to inject arbitrary web script or HTML via a link field.
ghsaosv
CVE-2022-31046P4MEDIUM≥ 10.0.0, < 10.4.29≥ 11.0.0, < 11.5.112022-06-17
CVE-2022-31046 [MEDIUM] CWE-200 Information Disclosure via Export Module
Information Disclosure via Export Module
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (4.0)
### Problem
The export functionality fails to limit the result set to allowed columns of a particular database table. This allows authenticated users to export internal details of database tables to which they already have access.
### Solution
Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS,
ghsaosv
CVE-2013-7341P4MEDIUMCVSS 4.3≥ 6.2.0, < 6.2.14≥ 7.0.0, < 7.3.12022-05-13
CVE-2013-7341 [MEDIUM] CWE-79 Moodle cross-site scripting (XSS) vulnerabilities
Moodle cross-site scripting (XSS) vulnerabilities
Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342.
ghsaosv
CVE-2015-8756P4MEDIUM≥ 6.2.0, < 6.2.162022-05-17
CVE-2015-8756 [MEDIUM] CWE-79 TYPO3 CMS indexed search Cross-site Scripting vulnerability
TYPO3 CMS indexed search Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in the search result view in the Indexed Search (indexed_search) component in TYPO3 6.2.x before 6.2.16 allows remote authenticated editors to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2018-6905P4MEDIUM≥ 0, < 9.2.02022-05-14
CVE-2018-6905 [MEDIUM] CWE-79 Typo3 XSS Vulnerability
Typo3 XSS Vulnerability
The page module in TYPO3 before 8.7.11 has XSS via `$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename']`, as demonstrated by an admin entering a crafted site name during the installation process.
ghsaosv
CVE-2012-3530P4MEDIUM≥ 4.5, < 4.5.19≥ 4.6, < 4.6.12+1 more2022-05-17
CVE-2012-3530 [MEDIUM] CWE-79 Typo3 API XSS Vulnerability
Typo3 API XSS Vulnerability
Incomplete blacklist vulnerability in the `t3lib_div::quoteJSvalue` API function in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain HTML5 JavaScript events.
ghsaosv
CVE-2014-3946P4MEDIUM≥ 6.2.0, < 6.2.32022-05-17
CVE-2014-3946 [MEDIUM] CWE-200 Typo3 Information Disclosure
Typo3 Information Disclosure
Failing to respect user groups of logged in users when caching queries, Extbase is susceptible to information disclosure. The query caching (introduced in Extbase 6.2) used to cache queries that query results for a specific user group were presented to a different group.
ghsaosv