Typo3CVEs & Vulnerabilities

513 CVEs affecting Typo3 products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

typo3 3,637sr feuser register extension 45jobcontrol 36simplesurvey 23wec discussion forum 19sql frontend extension 13commerce extension 12neos 6
CVE-2009-4337HIGH

SQL injection vulnerability in the Diocese of Portsmouth Calendar (pd_calendar) extension 0.4.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors, a different issue than CVE-2008-6691.

17 Dec 2009
7.5
CVSS
CVE-2009-4336MEDIUM

Cross-site scripting (XSS) vulnerability in the Diocese of Portsmouth Calendar (pd_calendar) extension 0.4.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

17 Dec 2009
4.3
CVSS
CVE-2009-4167MEDIUM

Unspecified vulnerability in the Automatic Base Tags for RealUrl (lt_basetag) extension 1.0.0 for TYPO3 allows remote attackers to conduct "Cache spoofing" attacks via unspecified vectors.

2 Dec 2009
6.4
CVSS
CVE-2009-4166HIGH

SQL injection vulnerability in the Trips (mchtrips) extension 2.0.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

2 Dec 2009
7.5
CVSS
CVE-2009-4165HIGH

SQL injection vulnerability in the simple Glossar (simple_glossar) extension 1.0.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

2 Dec 2009
7.5
CVSS
CVE-2009-4164MEDIUM

Cross-site scripting (XSS) vulnerability in the simple Glossar (simple_glossar) extension 1.0.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

2 Dec 2009
4.3
CVSS
CVE-2009-4163HIGH

SQL injection vulnerability in the TW Productfinder (tw_productfinder) extension 0.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

2 Dec 2009
7.5
CVSS
CVE-2009-4162HIGH

Unspecified vulnerability in the DB Integration (wfqbe) extension 1.3.1 and earlier for TYPO3 allows local users to execute arbitrary commands via unspecified vectors.

2 Dec 2009
7.2
CVSS
CVE-2009-4161MEDIUM

Cross-site scripting (XSS) vulnerability in the [AN] Search it! (an_searchit) extension 2.4.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

2 Dec 2009
4.3
CVSS
CVE-2009-4160MEDIUM

Unspecified vulnerability in the Simple download-system with counter and categories (kk_downloader) extension 1.2.1 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors.

2 Dec 2009
5.0
CVSS
CVE-2009-4159LOW

Cross-site scripting (XSS) vulnerability in the newsletter configuration feature in the backend module in the Direct Mail (direct_mail) extension 2.6.4 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

2 Dec 2009
3.5
CVSS
CVE-2009-4158HIGH

SQL injection vulnerability in the Calendar Base (cal) extension before 1.2.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

2 Dec 2009
7.5
CVSS
CVE-2009-3636MEDIUM

Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

2 Nov 2009
4.3
CVSS
CVE-2009-3635MEDIUM

The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.

2 Nov 2009
6.8
CVSS
CVE-2009-3634MEDIUM

Cross-site scripting (XSS) vulnerability in the Frontend Login Box (aka felogin) subcomponent in TYPO3 4.2.0 through 4.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

2 Nov 2009
4.3
CVSS
CVE-2009-3633MEDIUM

Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm.

2 Nov 2009
4.3
CVSS
CVE-2009-3632MEDIUM

SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to execute arbitrary SQL commands via unspecified parameters.

2 Nov 2009
6.5
CVSS
CVE-2009-3631HIGH

The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.

2 Nov 2009
8.5
CVSS
CVE-2009-3630MEDIUM

The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, related to a "frame hijacking" issue.

2 Nov 2009
5.5
CVSS
CVE-2009-3629LOW

Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

2 Nov 2009
3.5
CVSS
CVE-2009-3628MEDIUM

The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to determine an encryption key via crafted input to a tt_content form element.

2 Nov 2009
4.0
CVSS
CVE-2009-3821MEDIUM

Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

28 Oct 2009
4.3
CVSS
CVE-2009-3820HIGH

SQL injection vulnerability in the Flagbit Filebase (fb_filebase) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

28 Oct 2009
7.5
CVSS
CVE-2009-3819CRITICAL

Unspecified vulnerability in the Random Images (maag_randomimage) extension 1.6.4 and earlier for TYPO3 allows remote attackers to execute arbitrary shell commands via unspecified vectors.

28 Oct 2009
10.0
CVSS
CVE-2009-3818CRITICAL

Unspecified vulnerability in the session handling feature in freeCap CAPTCHA (sr_freecap) extension 1.2.0 and earlier for TYPO3 has unknown impact and attack vectors.

28 Oct 2009
10.0
CVSS
CVE-2009-2106HIGH

SQL injection vulnerability in the Virtual Civil Services (civserv) extension 4.3.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

17 Jun 2009
7.5
CVSS
CVE-2009-2104MEDIUM

Cross-site scripting (XSS) vulnerability in the Modern Guestbook / Commenting System (ve_guestbook) extension 2.7.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

17 Jun 2009
4.3
CVSS
CVE-2009-2103HIGH

SQL injection vulnerability in the Frontend MP3 Player (fe_mp3player) 0.2.3 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

17 Jun 2009
7.5
CVSS
CVE-2008-6699MEDIUM

Cross-site scripting (XSS) vulnerability in Resource Library (tjs_reslib) 0.1.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

11 Apr 2009
4.3
CVSS
CVE-2008-6698MEDIUM

Cross-site scripting (XSS) vulnerability in TARGET-E WorldCup Bets (worldcup) 2.0.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

11 Apr 2009
4.3
CVSS
CVE-2008-6697HIGH

SQL injection vulnerability in TARGET-E WorldCup Bets (worldcup) 2.0.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2008-6696HIGH

SQL injection vulnerability in Fussballtippspiel (toto) 0.1.1 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2008-6695HIGH

SQL injection vulnerability in TIMTAB social bookmark icons (timtab_sociable) 2.0.4 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2008-6694HIGH

SQL injection vulnerability in Random Prayer (ste_prayer) 0.0.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2008-6693HIGH

SQL injection vulnerability in Download system (sb_downloader) extension 0.1.4 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2008-6692HIGH

SQL injection vulnerability in Diocese of Portsmouth Training Courses (pd_trainingcourses) extension 0.1.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2008-6691HIGH

SQL injection vulnerability in Diocese of Portsmouth Calendar Today (pd_calendar_today) extension 0.0.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2008-6690HIGH

Unspecified vulnerability in nepa-design.de Spam Protection (nd_antispam) extension 1.0.3 for TYPO3 allows remote attackers to modify configuration via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2008-6689HIGH

SQL injection vulnerability in JobControl (dmmjobcontrol) 1.15.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2008-6688MEDIUM

Cross-site scripting (XSS) vulnerability in JobControl (dmmjobcontrol) 1.15.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

11 Apr 2009
4.3
CVSS
CVE-2008-6687MEDIUM

Cross-site scripting (XSS) vulnerability in DCD GoogleMap (dcdgooglemap) 1.1.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

11 Apr 2009
4.3
CVSS
CVE-2008-6686HIGH

SQL injection vulnerability in CoolURI (cooluri) 1.0.11 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2008-6685HIGH

Unspecified vulnerability in Frontend Filemanager (air_filemanager) 0.6.1 and earlier extension for TYPO3 allows remote attackers to execute arbitrary commands via unknown vectors.

11 Apr 2009
7.5
CVSS
CVE-2009-1264MEDIUM

Frontend User Registration (sr_feuser_register) extension 2.5.20 and earlier for TYPO3 does not properly verify access rights, which allows remote authenticated users to obtain sensitive information such as passwords via unknown attack vectors.

8 Apr 2009
4.0
CVSS
CVE-2008-6630HIGH

Directory traversal vulnerability in the wt_gallery extension 2.5.0 and earlier for TYPO3 allows remote attackers to read arbitrary image files and determine directory structure via unspecified vectors.

7 Apr 2009
7.8
CVSS
CVE-2008-6595HIGH

SQL injection vulnerability in the pmk_rssnewsexport extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

3 Apr 2009
7.5
CVSS
CVE-2008-6463HIGH

SQL injection vulnerability in the Diocese of Portsmouth Church Search (pd_churchsearch) extension before 0.1.1, and 0.2.10 and earlier 0.2.x versions, an extension for TYPO3, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

13 Mar 2009
7.5
CVSS
CVE-2008-6462HIGH

SQL injection vulnerability in the My quiz and poll (myquizpoll) extension before 0.1.4 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

13 Mar 2009
7.5
CVSS
← PrevPage 9 / 11Next →