U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:typo3:typo3:6.0.13:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 233 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2022-23501

TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

Published: December 14, 2022; 3:15:10 AM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2021-21365

Bootstrap Package is a theme for TYPO3. It has been discovered that rendering content in the website frontend is vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. Users of the extension, who have overwritten the affected templates with custom code must manually apply the security fix. Update to version 7.1.2, 8.0.8, 9.1.4, 10.0.10 or 11.0.3 of the Bootstrap Package that fix the problem described. Updated version are available from the TYPO3 extension manager, Packagist and at https://extensions.typo3.org/extension/download/bootstrap_package/.

Published: April 27, 2021; 4:15:08 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2019-19849

An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges.

Published: December 17, 2019; 12:15:17 PM -0500
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2019-19848

An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.)

Published: December 17, 2019; 12:15:17 PM -0500
V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM
CVE-2018-6905

The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process.

Published: April 08, 2018; 1:29:00 PM -0400
V3.0: 4.8 MEDIUM
V2.0: 3.5 LOW
CVE-2016-5091

Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action.

Published: January 23, 2017; 4:59:01 PM -0500
V3.0: 8.1 HIGH
V2.0: 6.8 MEDIUM
CVE-2015-5956

The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.

Published: September 16, 2015; 10:59:02 AM -0400
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2014-9509

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set to all or cached, allows remote attackers to have an unspecified impact (possibly resource consumption) via a "Cache Poisoning" attack using a URL with arbitrary arguments, which triggers a reload of the page.

Published: January 04, 2015; 4:59:07 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-9508

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors.

Published: January 04, 2015; 4:59:05 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-3945

The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash.

Published: June 03, 2014; 10:55:11 AM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2014-3943

Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters.

Published: June 03, 2014; 10:55:11 AM -0400
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2014-3942

The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object.

Published: June 03, 2014; 10:55:10 AM -0400
V3.x:(not available)
V2.0: 6.0 MEDIUM
CVE-2014-3941

TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing."

Published: June 03, 2014; 10:55:10 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-1087

Cross-site scripting (XSS) vulnerability in the Post data records to facebook (bc_post2facebook) extension before 0.2.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: February 14, 2012; 12:55:03 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-1086

Cross-site scripting (XSS) vulnerability in the UrlTool (aeurltool) extension 0.1.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: February 14, 2012; 12:55:03 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-1085

Unspecified vulnerability in the BE User Switch (beuserswitch) extension 0.0.1 for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.

Published: February 14, 2012; 12:55:03 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-1084

Cross-site scripting (XSS) vulnerability in the BE User Switch (beuserswitch) extension 0.0.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: February 14, 2012; 12:55:03 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-1083

Cross-site request forgery (CSRF) vulnerability in the Terminal PHP Shell (terminal) extension 0.3.2 and earlier for TYPO3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: February 14, 2012; 12:55:03 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2012-1082

Cross-site scripting (XSS) vulnerability in the Terminal PHP Shell (terminal) extension 0.3.2 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Published: February 14, 2012; 12:55:03 PM -0500
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2012-1081

Cross-site scripting (XSS) vulnerability in the Yet another Google search (ya_googlesearch) extension before 0.3.10 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: February 14, 2012; 12:55:03 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM