Typo3CVEs & Vulnerabilities

513 CVEs affecting Typo3 products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

typo3 3,637sr feuser register extension 45jobcontrol 36simplesurvey 23wec discussion forum 19sql frontend extension 13commerce extension 12neos 6
CVE-2011-4903MEDIUM

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function.

6 Nov 2019
6.1
CVSS
CVE-2011-4902MEDIUM

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver.

6 Nov 2019
6.5
CVSS
CVE-2011-4901MEDIUM

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database.

6 Nov 2019
6.5
CVSS
CVE-2011-4900MEDIUM

TYPO3 before 4.5.4 allows Information Disclosure in the backend.

6 Nov 2019
6.5
CVSS
CVE-2011-4632MEDIUM

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message.

6 Nov 2019
5.4
CVSS
CVE-2011-4631MEDIUM

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the system extension recycler.

6 Nov 2019
5.4
CVSS
CVE-2011-4630MEDIUM

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the browse_links wizard.

6 Nov 2019
5.4
CVSS
CVE-2011-4629MEDIUM

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the admin panel.

6 Nov 2019
5.4
CVSS
CVE-2011-4628CRITICAL

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted request.

6 Nov 2019
9.8
CVSS
CVE-2011-4627MEDIUM

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the backend.

6 Nov 2019
6.5
CVSS
CVE-2011-4626MEDIUM

Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the "JSwindow" property of the typolink function.

6 Nov 2019
6.1
CVSS
CVE-2010-3674MEDIUM

TYPO3 before 4.4.1 allows XSS in the frontend search box.

5 Nov 2019
6.1
CVSS
CVE-2010-3673MEDIUM

TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API.

5 Nov 2019
5.3
CVSS
CVE-2010-3672MEDIUM

TYPO3 before 4.3.4 and 4.4.x before 4.4.1 allows XSS in the textarea view helper in an extbase extension.

5 Nov 2019
6.1
CVSS
CVE-2010-3671MEDIUM

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.

5 Nov 2019
6.5
CVSS
CVE-2010-3670MEDIUM

TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.

5 Nov 2019
4.8
CVSS
CVE-2010-3669MEDIUM

TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS and Open Redirection in the frontend login box.

5 Nov 2019
5.4
CVSS
CVE-2010-3668HIGH

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Header Injection in the secure download feature jumpurl.

5 Nov 2019
7.5
CVSS
CVE-2010-3667MEDIUM

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Spam Abuse in the native form content element.

5 Nov 2019
5.3
CVSS
CVE-2010-3666MEDIUM

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function.

5 Nov 2019
5.3
CVSS
CVE-2010-3665MEDIUM

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the Extension Manager.

5 Nov 2019
5.4
CVSS
CVE-2010-3664MEDIUM

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.

5 Nov 2019
6.5
CVSS
CVE-2010-3663HIGH

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.

5 Nov 2019
8.8
CVSS
CVE-2010-3662HIGH

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.

5 Nov 2019
8.8
CVSS
CVE-2010-3661MEDIUM

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.

1 Nov 2019
6.1
CVSS
CVE-2010-3660MEDIUM

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.

1 Nov 2019
5.4
CVSS
CVE-2019-12748MEDIUM

TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.

9 Jul 2019
6.1
CVSS
CVE-2019-12747HIGH

TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.

9 Jul 2019
8.8
CVSS
CVE-2019-11832HIGH

TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.

9 May 2019
7.5
CVSS
CVE-2019-11831CRITICAL

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

9 May 2019
9.8
CVSS
CVE-2019-11830CRITICAL

PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.

9 May 2019
9.8
CVSS
CVE-2018-6905MEDIUM

The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process.

8 Apr 2018
4.8
CVSS
CVE-2010-3659MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified parameters to unknown backend forms.

20 Oct 2017
5.4
CVSS
CVE-2017-14251HIGH

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.

11 Sep 2017
8.8
CVSS
CVE-2017-6370MEDIUM

TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.

17 Mar 2017
5.3
CVSS
CVE-2016-5091HIGH

Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action.

23 Jan 2017
8.1
CVSS
CVE-2016-4056MEDIUM

Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers to inject arbitrary web script or HTML via the module parameter when creating a bookmark.

23 Jan 2017
6.1
CVSS
CVE-2015-8760MEDIUM

The Flvplayer component in TYPO3 6.2.x before 6.2.16 allows remote attackers to embed Flash videos from external domains via unspecified vectors, aka "Cross-Site Flashing."

8 Jan 2016
6.1
CVSS
CVE-2015-8759MEDIUM

Cross-site scripting (XSS) vulnerability in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote authenticated editors to inject arbitrary web script or HTML via a link field.

8 Jan 2016
5.4
CVSS
CVE-2015-8758MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in unspecified frontend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors.

8 Jan 2016
5.4
CVSS
CVE-2015-8757MEDIUM

Cross-site scripting (XSS) vulnerability in the Extension Manager in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to extension data during an extension installation.

8 Jan 2016
6.1
CVSS
CVE-2015-8756MEDIUM

Cross-site scripting (XSS) vulnerability in the search result view in the Indexed Search (indexed_search) component in TYPO3 6.2.x before 6.2.16 allows remote authenticated editors to inject arbitrary web script or HTML via unspecified vectors.

8 Jan 2016
5.4
CVSS
CVE-2015-8755MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors.

8 Jan 2016
5.4
CVSS
CVE-2015-5956LOW

The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.

16 Sep 2015
3.5
CVSS
CVE-2015-2821MEDIUM

TYPO3 Neos 1.1.x before 1.1.3 and 1.2.x before 1.2.3 allows remote editors to access, create, and modify content nodes in the workspace of other editors via unspecified vectors.

1 Apr 2015
6.5
CVSS
CVE-2015-2047LOW

The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value.

23 Feb 2015
2.6
CVSS
CVE-2014-9509HIGH

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set to all or cached, allows remote attackers to have an unspecified impact (possibly resource consumption) via a "Cache Poisoning" attack using a URL with arbitrary arguments, which triggers a reload of the page.

4 Jan 2015
7.5
CVSS
CVE-2014-9508MEDIUM

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors.

4 Jan 2015
4.3
CVSS
← PrevPage 3 / 11Next →