Product:

Typo3

(Typo3)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 186
Date Id Summary Products Score Patch Annotated
2024-02-13 CVE-2024-25119 TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. Users are... Typo3 4.9
2024-02-13 CVE-2024-25120 TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS,... Typo3 4.3
2024-02-13 CVE-2024-25121 TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public... Typo3 7.1
2010-05-11 CVE-2009-4855 SQL injection vulnerability in index.php in TYPO3 4.0 allows remote attackers to execute arbitrary SQL commands via the showUid parameter. NOTE: the TYPO3 Security Team disputes this report, stating that "there is no such vulnerability... The showUid parameter is generally used in third-party TYPO3 extensions - not in TYPO3 Core. Typo3 N/A
2009-01-22 CVE-2009-0255 The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key. Debian_linux, Typo3 7.5
2012-09-05 CVE-2012-3527 view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)." Debian_linux, Typo3 N/A
2019-07-09 CVE-2019-12747 TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. Typo3 8.8
2019-07-09 CVE-2019-12748 TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. Typo3 6.1
2020-05-14 CVE-2020-11066 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure... Typo3 10.0
2020-05-14 CVE-2020-11069 In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The... Typo3 8.8