typo3/cms-backend
Packagist18 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting typo3/cms-backendpage 1 of 1
- CVE-2008-5644NONECVSS 0.0EG 0.0✓ Fixed in 4.2.32008-12-17
vulnerable: 4.2.2
Cross-site scripting (XSS) vulnerability in the file backend module in TYPO3 4.2.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
- CVE-2009-3628NONECVSS 0.0EG 0.0✓ Fixed in 4.3beta22009-11-02
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to determine an encryption key via crafted input to a tt_content form element.
- CVE-2009-3629NONECVSS 0.0EG 0.0✓ Fixed in 4.3beta22009-11-02
Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web scrip…
- CVE-2009-3630NONECVSS 0.0EG 0.0✓ Fixed in 4.3beta22009-11-02
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, rel…
- CVE-2009-3631NONECVSS 0.0EG 0.0✓ Fixed in 4.3beta22009-11-02
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via…
- CVE-2010-3659MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.4.12017-10-20
Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspe…
- CVE-2010-3660MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.4.12019-11-01
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.
- CVE-2010-3661MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.4.12019-11-01
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.
- CVE-2010-3662HIGHCVSS 8.8EG 8.8✓ Fixed in 4.4.12019-11-04
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
- CVE-2010-3663HIGHCVSS 8.8EG 8.8✓ Fixed in 4.4.12019-11-04
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.
- CVE-2010-3664MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.4.12019-11-04
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.
- CVE-2010-3715NONECVSS 0.0EG 0.0✓ Fixed in 4.4.42010-10-25
Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the RemoveXSS function, a…
- CVE-2021-21340MEDIUMCVSS 5.4EG 5.4✓ Fixed in 11.1.12021-03-23
vulnerable: v11.0.0, v11.1.0
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content get…
- CVE-2021-21370MEDIUMCVSS 5.4EG 5.4✓ Fixed in 11.1.12021-03-23
vulnerable: v11.0.0, v11.1.0
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their…
- CVE-2024-34537MEDIUMCVSS 4.9EG 4.9✓ Fixed in 10.4.462024-10-28
vulnerable: v10.0.0 ... v10.4.9 (43 versions)
TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an administrator-level backend user account via manipulated data saved in the bookmark toolbar of the backend user interfa…
- CVE-2024-47780LOWCVSS 3.1EG 3.1✓ Fixed in 10.4.462024-10-08
vulnerable: v10.0.0 ... v10.4.9 (43 versions)
TYPO3 is a free and open source Content Management Framework. Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but …
- CVE-2025-59014LOWCVSS 2.7EG 2.7✓ Fixed in 12.4.372025-09-09
vulnerable: v11.0.0 ... v12.4.9 (95 versions)
An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface b…
- CVE-2026-6553HIGHCVSS 7.5EG 7.5✓ Fixed in 14.3.02026-04-21
vulnerable: 14.2.0, v14.2.0
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
Check whether typo3/cms-backend is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for typo3/cms-backend CVEs against the assets you own.
Start Free Scan →