Total
437 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-21338 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. | |||||
CVE-2020-8091 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname. | |||||
CVE-2020-26229 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 3.6 LOW | 3.7 LOW |
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described. | |||||
CVE-2020-26228 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 5.0 MEDIUM | 8.1 HIGH |
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. | |||||
CVE-2020-26227 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. | |||||
CVE-2020-15241 | 1 Typo3 | 2 Fluid Engine, Typo3 | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1). | |||||
CVE-2020-15099 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php, which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows the ability to completely retrieve, manipulate or delete database contents. This includes creating an administration user account - which can be used to trigger remote code execution by injecting custom extensions. This has been patched in versions 9.5.20 and 10.4.6. | |||||
CVE-2020-15098 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid backend user session (authenticated). This has been patched in versions 9.5.20 and 10.4.6. | |||||
CVE-2020-11069 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.8 MEDIUM | 8.0 HIGH |
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it's actually a same-site request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g. file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack. This has been fixed in 9.5.17 and 10.4.2. The deployment of additional mitigation techniques is suggested as described below. - Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed again by the acting user providing their password again. This technique is known as sudo mode. This way, unintended actions happening in the background can be mitigated. - https://github.com/FriendsOfTYPO3/sudo-mode - https://extensions.typo3.org/extension/sudo_mode - Content Security Policy Content Security Policies tell (modern) browsers how resources served a particular site are handled. It is also possible to disallow script executions for specific locations. In a TYPO3 context, it is suggested to disallow direct script execution at least for locations /fileadmin/ and /uploads/. | |||||
CVE-2020-11067 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. | |||||
CVE-2020-11066 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.4 MEDIUM | 8.7 HIGH |
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. This has been fixed in 9.5.17 and 10.4.2. | |||||
CVE-2020-11065 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly. This has been fixed in 9.5.17 and 10.4.2. | |||||
CVE-2020-11064 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. | |||||
CVE-2020-11063 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2. | |||||
CVE-2019-19850 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges. | |||||
CVE-2019-19849 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges. | |||||
CVE-2019-19848 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.) | |||||
CVE-2019-12748 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. | |||||
CVE-2019-12747 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. | |||||
CVE-2019-11832 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 9.3 HIGH | 7.5 HIGH |
TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick. |