typo3/cms
Packagist116 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting typo3/cmspage 1 of 3
- CVE-2005-4875NONECVSS 0.0EG 0.0✓ Fixed in 3.8.12005-12-31
TYPO3 3.8.0 and earlier allows remote attackers to obtain sensitive information via a direct request to misc/phpcheck/, which invokes the phpinfo function and prints values of unspecified environment variables.
- CVE-2009-0256NONECVSS 0.0EG 0.0✓ Fixed in 4.2.42009-01-22
Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) …
- CVE-2009-0258NONECVSS 0.0EG 0.0✓ Fixed in 4.2.42009-01-22
The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharac…
- CVE-2009-0815NONECVSS 0.0EG 0.0✓ Fixed in 4.2.62009-03-05
The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitra…
- CVE-2009-0816NONECVSS 0.0EG 0.02009-03-05
vulnerable: 4.3alpha1
Multiple cross-site scripting (XSS) vulnerabilities in the backend user interface in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 allow remote attackers to inject arbitrary web script or …
- CVE-2009-3635NONECVSS 0.0EG 0.0✓ Fixed in 4.3beta22009-11-02
The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.
- CVE-2010-1153NONECVSS 0.0EG 0.0✓ Fixed in 4.3.32010-04-20
PHP remote file inclusion vulnerability in the autoloader in TYPO3 4.3.x before 4.3.3 allows remote attackers to execute arbitrary PHP code via a URL in an input field associated with the className variable.
- CVE-2010-3714NONECVSS 0.0EG 0.0✓ Fixed in 4.4.42010-10-25
The jumpUrl (aka access tracking) implementation in tslib/class.tslib_fe.php in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allo…
- CVE-2010-5099NONECVSS 0.0EG 0.0✓ Fixed in 4.4.52012-05-30
The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended acces…
- CVE-2010-5101NONECVSS 0.0EG 0.0✓ Fixed in 4.4.52012-05-21
Directory traversal vulnerability in the TypoScript setup in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated administrators to read arbitrary files via unspecified vectors related to the "f…
- CVE-2010-5103NONECVSS 0.0EG 0.0✓ Fixed in 4.4.52012-05-21
SQL injection vulnerability in the list module in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via unspecified vectors.
- CVE-2011-3583CRITICALCVSS 9.8EG 9.82019-11-26
It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters a…
- CVE-2011-4627MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.5.42019-11-06
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the backend.
- CVE-2011-4628CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.5.42019-11-06
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted request.
- CVE-2011-4630MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.3.122019-11-06
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the browse_links wizard.
- CVE-2011-4632MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.5.42019-11-06
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message.
- CVE-2011-4900MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.5.42019-11-06
TYPO3 before 4.5.4 allows Information Disclosure in the backend.
- CVE-2011-4901MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.5.42019-11-06
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database.
- CVE-2011-4902MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.5.42019-11-06
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver.
- CVE-2011-4903MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.5.42019-11-06
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function.
- CVE-2011-4904MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.5.42019-11-06
TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services.
- CVE-2012-1605NONECVSS 0.0EG 0.0✓ Fixed in 4.5.142012-09-04
The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature (H…
- CVE-2012-1606NONECVSS 0.0EG 0.0✓ Fixed in 4.6.72012-09-04
Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or …
- CVE-2012-1607NONECVSS 0.0EG 0.02012-09-04
The Command Line Interface (CLI) script in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to obtain the database name via a direct request.
- CVE-2012-1608NONECVSS 0.0EG 0.0✓ Fixed in 4.6.72012-09-04
The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web scrip…
- CVE-2012-2112NONECVSS 0.0EG 0.02012-08-27
vulnerable: 4.7
Cross-site scripting (XSS) vulnerability in the Exception Handler in TYPO3 4.4.x before 4.4.15, 4.5.x before 4.5.15, 4.6.x before 4.6.8, and 4.7 allows remote attackers to inject arbitrary web script or HTML via exception messages.
- CVE-2012-3527NONECVSS 0.0EG 0.0✓ Fixed in 4.7.42012-09-05
view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an uns…
- CVE-2012-3528NONECVSS 0.0EG 0.0✓ Fixed in 4.7.42012-09-05
Multiple cross-site scripting (XSS) vulnerabilities in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vec…
- CVE-2012-3529NONECVSS 0.0EG 0.0✓ Fixed in 4.7.42012-09-05
The configuration module in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to obtain the encryption key via unspecified vectors.
- CVE-2012-3530NONECVSS 0.0EG 0.0✓ Fixed in 4.7.42012-09-05
Incomplete blacklist vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain HTML5…
- CVE-2012-3531NONECVSS 0.0EG 0.0✓ Fixed in 4.7.42012-09-05
Cross-site scripting (XSS) vulnerability in the Install Tool in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2012-6144NONECVSS 0.0EG 0.0✓ Fixed in 4.7.62013-07-01
SQL injection vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to execute arbitrary SQL commands via unspecified vectors.
- CVE-2012-6145NONECVSS 0.0EG 0.0✓ Fixed in 4.7.62013-07-01
Cross-site scripting (XSS) vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecifi…
- CVE-2012-6146NONECVSS 0.0EG 0.0✓ Fixed in 4.7.62014-05-20
The Backend History Module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 does not properly restrict access, which allows remote authenticated editors to read the history of arbitrary records via a crafted URL.
- CVE-2012-6147NONECVSS 0.0EG 0.0✓ Fixed in 4.7.62013-07-01
Cross-site scripting (XSS) vulnerability in the tree render API (TCA-Tree) in the Backend API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web scrip…
- CVE-2012-6148NONECVSS 0.0EG 0.0✓ Fixed in 4.7.62013-07-01
Cross-site scripting (XSS) vulnerability in the function menu API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified ve…
- CVE-2013-4250NONECVSS 0.0EG 0.0✓ Fixed in 6.1.32014-05-20
The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploadin…
- CVE-2013-4321NONECVSS 0.0EG 0.0✓ Fixed in 6.1.42014-05-20
The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulner…
- CVE-2013-4701NONECVSS 0.0EG 0.0✓ Fixed in 6.2.62013-08-21
vulnerable: 6.2.0 ... 6.2.5 (6 versions)
Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an exter…
- CVE-2013-7073NONECVSS 0.0EG 0.0✓ Fixed in 6.1.72013-12-23
The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table co…
- CVE-2013-7074NONECVSS 0.0EG 0.0✓ Fixed in 6.1.72013-12-21
Multiple cross-site scripting (XSS) vulnerabilities in Content Editing Wizards in TYPO3 4.5.x before 4.5.32, 4.7.x before 4.7.17, 6.0.x before 6.0.12, 6.1.x before 6.1.7, and the development versions of 6.2 allow remote authenticated users…
- CVE-2013-7075NONECVSS 0.0EG 0.0✓ Fixed in 6.1.72013-12-23
The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files…
- CVE-2013-7341NONECVSS 0.0EG 0.0✓ Fixed in 7.3.12014-03-24
vulnerable: 7.0.0 ... 7.3.0 (6 versions)
Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script …
- CVE-2014-3941NONECVSS 0.0EG 0.0✓ Fixed in 6.2.32014-06-03
vulnerable: 6.2.0, 6.2.1, 6.2.2
TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing."
- CVE-2014-3942NONECVSS 0.0EG 0.0✓ Fixed in 6.1.92014-06-03
The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object.
- CVE-2014-3943NONECVSS 0.0EG 0.0✓ Fixed in 6.2.32014-06-03
vulnerable: 6.2.0, 6.2.1, 6.2.2
Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to …
- CVE-2014-3944NONECVSS 0.0EG 0.0✓ Fixed in 6.2.32014-06-03
vulnerable: 6.2.0, 6.2.1, 6.2.2
The Authentication component in TYPO3 6.2.0 before 6.2.3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified vectors.
- CVE-2014-3945NONECVSS 0.0EG 0.0✓ Fixed in 6.2.02014-06-03
The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and…
- CVE-2014-3946NONECVSS 0.0EG 0.0✓ Fixed in 6.2.32014-06-03
vulnerable: 6.2.0, 6.2.1, 6.2.2
The query caching functionality in the Extbase Framework component in TYPO3 6.2.0 before 6.2.3 does not properly validate group permissions, which allows remote authenticated users to read arbitrary queries via unspecified vectors.
- CVE-2014-9508NONECVSS 0.0EG 0.0✓ Fixed in 7.0.22015-01-04
vulnerable: 7.0.0, 7.0.1
The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers…
Check whether typo3/cms is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for typo3/cms CVEs against the assets you own.
Start Free Scan →