Vulnerabilities (CVE)

Filtered by vendor Typesettercms Subscribe
Total 11 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-25523 1 Typesettercms 1 Typesetter 2024-11-21 6.8 MEDIUM 8.8 HIGH
TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request.
CVE-2020-35126 1 Typesettercms 1 Typesetter 2024-11-21 3.5 LOW 4.8 MEDIUM
Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy.
CVE-2020-25790 1 Typesettercms 1 Typesetter 2024-11-21 6.5 MEDIUM 7.2 HIGH
Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2
CVE-2020-19511 1 Typesettercms 1 Typesetter 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
CVE-2019-20077 1 Typesettercms 1 Typesetter 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability.
CVE-2018-6889 1 Typesettercms 1 Typesetter 2024-11-21 6.5 MEDIUM 8.8 HIGH
An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction.
CVE-2018-6888 1 Typesettercms 1 Typesetter 2024-11-21 6.0 MEDIUM 8.0 HIGH
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token.
CVE-2018-20837 1 Typesettercms 1 Typesetter 2024-11-21 3.5 LOW 4.8 MEDIUM
include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.
CVE-2018-16639 1 Typesettercms 1 Typesetter 2024-11-21 3.5 LOW 5.4 MEDIUM
Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation.
CVE-2018-16626 1 Typesettercms 1 Typesetter 2024-11-21 3.5 LOW 4.8 MEDIUM
index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name.
CVE-2018-16625 1 Typesettercms 1 Typesetter 2024-11-21 3.5 LOW 4.8 MEDIUM
index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.