Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2019-19850 |
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges. Published: December 17, 2019; 12:15:18 PM -0500 |
V3.1: 7.2 HIGH V2.0: 6.5 MEDIUM |
CVE-2019-19849 |
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges. Published: December 17, 2019; 12:15:17 PM -0500 |
V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2019-19848 |
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.) Published: December 17, 2019; 12:15:17 PM -0500 |
V3.1: 7.2 HIGH V2.0: 6.5 MEDIUM |
CVE-2019-12748 |
TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. Published: July 09, 2019; 11:15:10 AM -0400 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-12747 |
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. Published: July 09, 2019; 11:15:10 AM -0400 |
V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-11832 |
TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick. Published: May 09, 2019; 1:29:01 AM -0400 |
V3.0: 7.5 HIGH V2.0: 9.3 HIGH |
CVE-2018-6905 |
The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process. Published: April 08, 2018; 1:29:00 PM -0400 |
V3.0: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2017-14251 |
Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code. Published: September 11, 2017; 5:29:00 AM -0400 |
V3.0: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2012-1087 |
Cross-site scripting (XSS) vulnerability in the Post data records to facebook (bc_post2facebook) extension before 0.2.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-1086 |
Cross-site scripting (XSS) vulnerability in the UrlTool (aeurltool) extension 0.1.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-1085 |
Unspecified vulnerability in the BE User Switch (beuserswitch) extension 0.0.1 for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors. Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-1084 |
Cross-site scripting (XSS) vulnerability in the BE User Switch (beuserswitch) extension 0.0.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-1083 |
Cross-site request forgery (CSRF) vulnerability in the Terminal PHP Shell (terminal) extension 0.3.2 and earlier for TYPO3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2012-1082 |
Cross-site scripting (XSS) vulnerability in the Terminal PHP Shell (terminal) extension 0.3.2 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2012-1081 |
Cross-site scripting (XSS) vulnerability in the Yet another Google search (ya_googlesearch) extension before 0.3.10 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-1080 |
Cross-site scripting (XSS) vulnerability in the Euro Calculator (skt_eurocalc) extension 0.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-1079 |
Unspecified vulnerability in the Webservices for TYPO3 (typo3_webservice) extension before 0.3.8 for TYPO3 allows remote authenticated users to execute arbitrary code via unknown vectors. Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2012-1078 |
The System Utilities (sysutils) extension 1.0.3 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unspecified vectors related to improper "protection" of the "backup output directory." Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-1077 |
SQL injection vulnerability in the Post data records to facebook (bc_post2facebook) extension before 0.2.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Published: February 14, 2012; 12:55:03 PM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2012-1076 |
Cross-site scripting (XSS) vulnerability in the Documents download (rtg_files) extension before 1.5.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: February 14, 2012; 12:55:02 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |