Filtered by vendor Typo3
Subscribe
Total
493 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12747 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. | |||||
| CVE-2019-11832 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 9.3 HIGH | 7.5 HIGH |
| TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick. | |||||
| CVE-2019-11831 | 5 Debian, Drupal, Fedoraproject and 2 more | 5 Debian Linux, Drupal, Fedora and 2 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. | |||||
| CVE-2019-11830 | 1 Typo3 | 1 Pharstreamwrapper | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism. | |||||
| CVE-2018-6905 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process. | |||||
| CVE-2011-4904 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services. | |||||
| CVE-2011-4903 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function. | |||||
| CVE-2011-4902 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver. | |||||
| CVE-2011-4901 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database. | |||||
| CVE-2011-4900 | 2 Debian, Typo3 | 2 Debian Linux, Typo3 | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| TYPO3 before 4.5.4 allows Information Disclosure in the backend. | |||||
| CVE-2011-4632 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message. | |||||
| CVE-2011-4631 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the system extension recycler. | |||||
| CVE-2011-4630 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the browse_links wizard. | |||||
| CVE-2011-4629 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the admin panel. | |||||
| CVE-2011-4628 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted request. | |||||
| CVE-2011-4627 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the backend. | |||||
| CVE-2011-4626 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the "JSwindow" property of the typolink function. | |||||
| CVE-2011-3583 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input. | |||||
| CVE-2010-3674 | 2 Debian, Typo3 | 2 Debian Linux, Typo3 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| TYPO3 before 4.4.1 allows XSS in the frontend search box. | |||||
| CVE-2010-3673 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API. | |||||