Typo3CVEs & Vulnerabilities

513 CVEs affecting Typo3 products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

typo3 3,637sr feuser register extension 45jobcontrol 36simplesurvey 23wec discussion forum 19sql frontend extension 13commerce extension 12neos 6
CVE-2009-4948MEDIUM

Cross-site scripting (XSS) vulnerability in the Store Locator extension before 1.2.8 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

22 Jul 2010
4.3
CVSS
CVE-2010-2131HIGH

SQL injection vulnerability in the Calendar Base (cal) extension before 1.3.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via iCalendar data.

2 Jun 2010
7.5
CVSS
CVE-2009-4855HIGHpoc

SQL injection vulnerability in index.php in TYPO3 4.0 allows remote attackers to execute arbitrary SQL commands via the showUid parameter. NOTE: the TYPO3 Security Team disputes this report, stating that "there is no such vulnerability... The showUid parameter is generally used in third-party TYPO3 extensions - not in TYPO3 Core.

11 May 2010
7.5
CVSS
CVE-2009-4804MEDIUM

Cross-site scripting (XSS) vulnerability in the Calendar Base (cal) extension before 1.1.1 for TYPO3, when Internet Explorer 6 is used, allows remote attackers to inject arbitrary web script or HTML via "search parameters."

23 Apr 2010
4.3
CVSS
CVE-2009-4803HIGH

SQL injection vulnerability in the Accessibility Glossary (a21glossary) extension 0.4.10 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

23 Apr 2010
7.5
CVSS
CVE-2009-4802HIGH

SQL injection vulnerability in the Flat Manager (flatmgr) extension before 1.9.16 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

23 Apr 2010
7.5
CVSS
CVE-2010-1153MEDIUM

PHP remote file inclusion vulnerability in the autoloader in TYPO3 4.3.x before 4.3.3 allows remote attackers to execute arbitrary PHP code via a URL in an input field associated with the className variable.

20 Apr 2010
6.8
CVSS
CVE-2010-1218MEDIUM

Cross-site scripting (XSS) vulnerability in the mm_forum extension 1.8.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

31 Mar 2010
4.3
CVSS
CVE-2009-4740HIGH

Directory traversal vulnerability in the Webesse E-Card (ws_ecard) extension 1.0.2 and earlier for TYPO3 has unspecified impact and remote attack vectors.

26 Mar 2010
7.5
CVSS
CVE-2010-1027HIGH

SQL injection vulnerability in the Meet Travelmates (travelmate) extension 0.1.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1026HIGH

SQL injection vulnerability in the CleanDB - DBAL (tmsw_cleandb) extension 2.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1025MEDIUM

Cross-site scripting (XSS) vulnerability in the TGM-Newsletter (tgm_newsletter) extension 0.0.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

19 Mar 2010
4.3
CVSS
CVE-2010-1024HIGH

SQL injection vulnerability in the TGM-Newsletter (tgm_newsletter) extension 0.0.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1022HIGH

The TYPO3 Security - Salted user password hashes (t3sec_saltedpw) extension before 0.2.13 for TYPO3 allows remote attackers to bypass authentication via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1021MEDIUM

Cross-site scripting (XSS) vulnerability in the Typo3 Quixplorer (t3quixplorer) extension before 1.7.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

19 Mar 2010
4.3
CVSS
CVE-2010-1020MEDIUM

Cross-site scripting (XSS) vulnerability in the Simple Gallery (sk_simplegallery) extension 0.0.9 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

19 Mar 2010
4.3
CVSS
CVE-2010-1019HIGH

SQL injection vulnerability in the Simple Gallery (sk_simplegallery) extension 0.0.9 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1018HIGH

SQL injection vulnerability in the Book Reviews (sk_bookreview) extension 0.0.12 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1017HIGH

SQL injection vulnerability in the SAV Filter Months (sav_filter_months) extension before 1.0.5 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1016HIGH

SQL injection vulnerability in the SAV Filter Selectors (sav_filter_selectors) extension before 1.0.5 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1015HIGH

SQL injection vulnerability in the SAV Filter Alphabetic (sav_filter_abc) extension before 1.0.9 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1014MEDIUM

Cross-site scripting (XSS) vulnerability in the Reports Logfile View (reports_logview) extension 1.2.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

19 Mar 2010
4.3
CVSS
CVE-2010-1013HIGH

SQL injection vulnerability in the Diocese of Portsmouth Database (pd_diocesedatabase) extension before 0.7.13 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1012HIGH

SQL injection vulnerability in the CleanDB (nf_cleandb) extension 1.0.7 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1011MEDIUM

Cross-site scripting (XSS) vulnerability in the myDashboard (mydashboard) extension 0.1.13 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

19 Mar 2010
4.3
CVSS
CVE-2010-1010HIGH

SQL injection vulnerability in the MK Wastebasket (mk_wastebasket) extension 2.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1009HIGH

SQL injection vulnerability in the Educator extension 0.1.5 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1008MEDIUM

Cross-site scripting (XSS) vulnerability in the Sellector.com Widget Integration (chsellector) extension before 0.1.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

19 Mar 2010
4.3
CVSS
CVE-2010-1007MEDIUM

Unspecified vulnerability in the Power Extension Manager (ch_lightem) extension 1.0.34 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.

19 Mar 2010
5.0
CVSS
CVE-2010-1006HIGH

SQL injection vulnerability in the Brainstorming extension 0.1.8 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2010-1005MEDIUM

Cross-site scripting (XSS) vulnerability in the Yet another TYPO3 search engine (YATSE) extension before 0.3.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

19 Mar 2010
4.3
CVSS
CVE-2010-1004HIGH

SQL injection vulnerability in the Yet another TYPO3 search engine (YATSE) extension before 0.3.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

19 Mar 2010
7.5
CVSS
CVE-2009-4711HIGH

SQL injection vulnerability in the CoolURI (cooluri) extension before 1.0.16 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2008-6686.

16 Mar 2010
7.5
CVSS
CVE-2009-4710HIGH

SQL injection vulnerability in the Reset backend password (cwt_resetbepassword) extension 1.20 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

16 Mar 2010
7.5
CVSS
CVE-2009-4709HIGH

SQL injection vulnerability in the datamints Newsticker (datamints_newsticker) extension before 0.7.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

16 Mar 2010
7.5
CVSS
CVE-2009-4708HIGH

SQL injection vulnerability in the [Gobernalia] Front End News Submitter (gb_fenewssubmit) extension 0.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

16 Mar 2010
7.5
CVSS
CVE-2009-4707MEDIUM

Cross-site scripting (XSS) vulnerability in the [Gobernalia] Front End News Submitter (gb_fenewssubmit) extension 0.1.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

16 Mar 2010
4.3
CVSS
CVE-2009-4706MEDIUM

Cross-site scripting (XSS) vulnerability in the Mailform (mailform) extension before 0.9.24 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

16 Mar 2010
4.3
CVSS
CVE-2009-4705MEDIUM

Cross-site scripting (XSS) vulnerability in the Twitter Search (twittersearch) extension before 0.1.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

16 Mar 2010
4.3
CVSS
CVE-2009-4704MEDIUM

Unspecified vulnerability in the Webesse E-Card (ws_ecard) extension 1.0.2 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.

16 Mar 2010
5.0
CVSS
CVE-2009-4703HIGH

SQL injection vulnerability in the Webesse Image Gallery (ws_gallery) extension 1.0.4 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

16 Mar 2010
7.5
CVSS
CVE-2009-4702HIGH

SQL injection vulnerability in the Tour Extension (pm_tour) extension before 0.0.13 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

16 Mar 2010
7.5
CVSS
CVE-2009-4701HIGH

SQL injection vulnerability in the Myth download (myth_download) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

16 Mar 2010
7.5
CVSS
CVE-2010-0798HIGH

SQL injection vulnerability in the T3BLOG extension 0.6.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

2 Mar 2010
7.5
CVSS
CVE-2010-0797MEDIUM

Cross-site scripting (XSS) vulnerability in the T3BLOG extension 0.6.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

2 Mar 2010
4.3
CVSS
CVE-2010-0286MEDIUM

Unspecified vulnerability in the OpenID Identity Authentication extension in TYPO3 4.3.0 allows remote attackers to bypass authentication and gain access to a backend user account via unknown attack vectors in which both the attacker and victim have an OpenID provider that discards identities during authentication.

22 Feb 2010
5.1
CVSS
CVE-2010-0350HIGH

Directory traversal vulnerability in the Photo Book (goof_fotoboek) extension 1.7.14 and earlier for TYPO3 has unknown impact and remote attack vectors.

15 Jan 2010
7.5
CVSS
CVE-2010-0347MEDIUM

Cross-site scripting (XSS) vulnerability in the VD / Geomap (vd_geomap) extension 0.3.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

15 Jan 2010
4.3
CVSS
← PrevPage 7 / 11Next →