cbcvebase.

Typo3 Cms vulnerabilities

115 known vulnerabilities affecting typo3/cms.

Total CVEs
115
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH28MEDIUM72LOW11

Vulnerabilities

Page 6 of 6
CVE-2021-32668P4MEDIUM≥ 10.0.0, < 10.4.18≥ 11.0.0, < 11.3.1+1 more2021-07-22
CVE-2021-32668 [MEDIUM] CWE-79 Cross-Site Scripting in Query Generator & Query View Cross-Site Scripting in Query Generator & Query View > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.5) ### Problem Failing to properly encode error messages, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability
ghsaosv
CVE-2012-2112P4MEDIUM≥ 4.4, < 4.4.15≥ 4.5, < 4.5.15+1 more2022-05-17
CVE-2012-2112 [MEDIUM] CWE-79 Typo3 Exception Handler XSS Typo3 Exception Handler XSS Cross-site scripting (XSS) vulnerability in the Exception Handler in TYPO3 4.4.x before 4.4.15, 4.5.x before 4.5.15, 4.6.x before 4.6.8, and 4.7 allows remote attackers to inject arbitrary web script or HTML via exception messages.
ghsaosv
CVE-2012-3531P4MEDIUM≥ 4.5, < 4.5.19≥ 4.6, < 4.6.12+1 more2022-05-17
CVE-2012-3531 [MEDIUM] CWE-79 Typo3 Install Tool XSS Vulnerability Typo3 Install Tool XSS Vulnerability Cross-site scripting (XSS) vulnerability in the Install Tool in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2009-0816P4MEDIUM≥ 3.3.0≥ 4.0, < 4.0.12+2 more2022-05-02
CVE-2009-0816 [MEDIUM] CWE-79 Typo3 Backend XSS Vulnerability Typo3 Backend XSS Vulnerability An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing them to bypass access control by providing the correct value. There's no authentication required to exploi
ghsaosv
CVE-2012-6147P4LOW≥ 4.5.0, < 4.5.21≥ 4.6.0, < 4.6.14+1 more2022-05-17
CVE-2012-6147 [LOW] CWE-79 Typo3 Backend API XSS Vulnerability Typo3 Backend API XSS Vulnerability Cross-site scripting (XSS) vulnerability in the tree render API (TCA-Tree) in the Backend API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2020-11063P4LOW≥ 10.0.0, < 10.4.22020-05-13
CVE-2020-11063 [LOW] CWE-203 Information Disclosure in Password Reset Information Disclosure in Password Reset In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-001
ghsaosv
CVE-2012-3529P4LOW≥ 4.5, < 4.5.19≥ 4.6, < 4.6.12+1 more2022-05-17
CVE-2012-3529 [LOW] CWE-200 Typo3 Backend Configuration XSS Vulnerability Typo3 Backend Configuration XSS Vulnerability The configuration module in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to obtain the encryption key via unspecified vectors.
ghsaosv
CVE-2012-3528P4LOW≥ 4.5, < 4.5.19≥ 4.6, < 4.6.12+1 more2022-05-17
CVE-2012-3528 [LOW] CWE-79 Typo3 Backend XSS Vulnerability Typo3 Backend XSS Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2015-5956P4LOW≥ 6.0, < 6.2.15≥ 7.0, < 7.4.0+1 more2022-05-14
CVE-2015-5956 [LOW] CWE-79 TYPO3 cross-site scripting (XSS) TYPO3 cross-site scripting (XSS) The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.
ghsaosv
CVE-2012-1606P4LOW≥ 4.4.0, < 4.4.14≥ 4.5.0, < 4.5.14+1 more2022-05-17
CVE-2012-1606 [LOW] CWE-79 Typo3 Backend XSS Vulnerabilities Typo3 Backend XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2014-3943P4LOW≥ 4.5.0, < 4.5.34≥ 4.7.0, < 4.7.19+3 more2022-05-14
CVE-2014-3943 [LOW] CWE-79 Typo3 XSS Vulnerabilities Typo3 XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters.
ghsaosv
CVE-2020-26229P4LOW≥ 10.0.0, < 10.4.102020-11-23
CVE-2020-26229 [LOW] CWE-611 XML External Entity in Dashboard Widget XML External Entity in Dashboard Widget ### Problem It has been discovered that RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with _libxml2_ version 2.9, the processing of XML external entities is disabled per de
ghsaosv
CVE-2012-6148P4LOW≥ 4.5.0, < 4.5.21≥ 4.6.0, < 4.6.14+1 more2022-05-17
CVE-2012-6148 [LOW] CWE-79 Typo3 Function Menu API XSS Vulnerability Typo3 Function Menu API XSS Vulnerability Cross-site scripting (XSS) vulnerability in the function menu API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2013-7074P4LOW≥ 4.5.0, < 4.5.32≥ 4.7.0, < 4.7.17+2 more2022-05-17
CVE-2013-7074 [LOW] CWE-79 TYPO3 Cross-Site Scripting (XSS) vulnerabilities in Content Editing Wizards component TYPO3 Cross-Site Scripting (XSS) vulnerabilities in Content Editing Wizards component Multiple cross-site scripting (XSS) vulnerabilities in Content Editing Wizards in TYPO3 4.5.x before 4.5.32, 4.7.x before 4.7.17, 6.0.x before 6.0.12, 6.1.x before 6.1.7, and the development versions of 6.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified param
ghsaosv
CVE-2012-6145P4LOW≥ 4.5.0, < 4.5.21≥ 4.6.0, < 4.6.14+1 more2022-05-17
CVE-2012-6145 [LOW] CWE-79 Typo3 Backend History Module Vulnerable to XSS Typo3 Backend History Module Vulnerable to XSS Cross-site scripting (XSS) vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
Typo3 Cms vulnerabilities | cvebase