Typo3 Cms vulnerabilities
115 known vulnerabilities affecting typo3/cms.
Total CVEs
115
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH28MEDIUM72LOW11
Vulnerabilities
Page 6 of 6
CVE-2021-32668P4MEDIUM≥ 10.0.0, < 10.4.18≥ 11.0.0, < 11.3.1+1 more2021-07-22
CVE-2021-32668 [MEDIUM] CWE-79 Cross-Site Scripting in Query Generator & Query View
Cross-Site Scripting in Query Generator & Query View
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.5)
### Problem
Failing to properly encode error messages, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability
ghsaosv
CVE-2012-2112P4MEDIUM≥ 4.4, < 4.4.15≥ 4.5, < 4.5.15+1 more2022-05-17
CVE-2012-2112 [MEDIUM] CWE-79 Typo3 Exception Handler XSS
Typo3 Exception Handler XSS
Cross-site scripting (XSS) vulnerability in the Exception Handler in TYPO3 4.4.x before 4.4.15, 4.5.x before 4.5.15, 4.6.x before 4.6.8, and 4.7 allows remote attackers to inject arbitrary web script or HTML via exception messages.
ghsaosv
CVE-2012-3531P4MEDIUM≥ 4.5, < 4.5.19≥ 4.6, < 4.6.12+1 more2022-05-17
CVE-2012-3531 [MEDIUM] CWE-79 Typo3 Install Tool XSS Vulnerability
Typo3 Install Tool XSS Vulnerability
Cross-site scripting (XSS) vulnerability in the Install Tool in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2009-0816P4MEDIUM≥ 3.3.0≥ 4.0, < 4.0.12+2 more2022-05-02
CVE-2009-0816 [MEDIUM] CWE-79 Typo3 Backend XSS Vulnerability
Typo3 Backend XSS Vulnerability
An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host.
The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing them to bypass access control by providing the correct value.
There's no authentication required to exploi
ghsaosv
CVE-2012-6147P4LOW≥ 4.5.0, < 4.5.21≥ 4.6.0, < 4.6.14+1 more2022-05-17
CVE-2012-6147 [LOW] CWE-79 Typo3 Backend API XSS Vulnerability
Typo3 Backend API XSS Vulnerability
Cross-site scripting (XSS) vulnerability in the tree render API (TCA-Tree) in the Backend API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2020-11063P4LOW≥ 10.0.0, < 10.4.22020-05-13
CVE-2020-11063 [LOW] CWE-203 Information Disclosure in Password Reset
Information Disclosure in Password Reset
In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts.
This has been fixed in 10.4.2.
### References
* https://typo3.org/security/advisory/typo3-core-sa-2020-001
ghsaosv
CVE-2012-3529P4LOW≥ 4.5, < 4.5.19≥ 4.6, < 4.6.12+1 more2022-05-17
CVE-2012-3529 [LOW] CWE-200 Typo3 Backend Configuration XSS Vulnerability
Typo3 Backend Configuration XSS Vulnerability
The configuration module in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to obtain the encryption key via unspecified vectors.
ghsaosv
CVE-2012-3528P4LOW≥ 4.5, < 4.5.19≥ 4.6, < 4.6.12+1 more2022-05-17
CVE-2012-3528 [LOW] CWE-79 Typo3 Backend XSS Vulnerability
Typo3 Backend XSS Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2015-5956P4LOW≥ 6.0, < 6.2.15≥ 7.0, < 7.4.0+1 more2022-05-14
CVE-2015-5956 [LOW] CWE-79 TYPO3 cross-site scripting (XSS)
TYPO3 cross-site scripting (XSS)
The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.
ghsaosv
CVE-2012-1606P4LOW≥ 4.4.0, < 4.4.14≥ 4.5.0, < 4.5.14+1 more2022-05-17
CVE-2012-1606 [LOW] CWE-79 Typo3 Backend XSS Vulnerabilities
Typo3 Backend XSS Vulnerabilities
Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2014-3943P4LOW≥ 4.5.0, < 4.5.34≥ 4.7.0, < 4.7.19+3 more2022-05-14
CVE-2014-3943 [LOW] CWE-79 Typo3 XSS Vulnerabilities
Typo3 XSS Vulnerabilities
Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters.
ghsaosv
CVE-2020-26229P4LOW≥ 10.0.0, < 10.4.102020-11-23
CVE-2020-26229 [LOW] CWE-611 XML External Entity in Dashboard Widget
XML External Entity in Dashboard Widget
### Problem
It has been discovered that RSS widgets are susceptible to XML external entity processing.
This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions.
At least with _libxml2_ version 2.9, the processing of XML external entities is disabled per de
ghsaosv
CVE-2012-6148P4LOW≥ 4.5.0, < 4.5.21≥ 4.6.0, < 4.6.14+1 more2022-05-17
CVE-2012-6148 [LOW] CWE-79 Typo3 Function Menu API XSS Vulnerability
Typo3 Function Menu API XSS Vulnerability
Cross-site scripting (XSS) vulnerability in the function menu API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
CVE-2013-7074P4LOW≥ 4.5.0, < 4.5.32≥ 4.7.0, < 4.7.17+2 more2022-05-17
CVE-2013-7074 [LOW] CWE-79 TYPO3 Cross-Site Scripting (XSS) vulnerabilities in Content Editing Wizards component
TYPO3 Cross-Site Scripting (XSS) vulnerabilities in Content Editing Wizards component
Multiple cross-site scripting (XSS) vulnerabilities in Content Editing Wizards in TYPO3 4.5.x before 4.5.32, 4.7.x before 4.7.17, 6.0.x before 6.0.12, 6.1.x before 6.1.7, and the development versions of 6.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified param
ghsaosv
CVE-2012-6145P4LOW≥ 4.5.0, < 4.5.21≥ 4.6.0, < 4.6.14+1 more2022-05-17
CVE-2012-6145 [LOW] CWE-79 Typo3 Backend History Module Vulnerable to XSS
Typo3 Backend History Module Vulnerable to XSS
Cross-site scripting (XSS) vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
ghsaosv
← Previous6 / 6