typo3/cms-core Security Advisories (115)
-
[MEDIUM] TYPO3 CMS exposes sensitive information in an error message
PKSA-ns26-fz7n-2jm8 CVE-2025-59016 GHSA-cvm2-5f78-g9m8
Affected version: >=13.0.0,<13.4.18|>=12.0.0,<12.4.37|>=11.0.0,<11.5.48|>=10.0.0,<10.4.54|>=9.0.0,<9.5.55
Reported by:
GitHub -
[MEDIUM] TYPO3 CMS has an open‑redirect vulnerability
PKSA-pz1k-khnw-3j7j CVE-2025-59013 GHSA-72jf-5fg5-3cw3
Affected version: >=13.0.0,<13.4.18|>=12.0.0,<12.4.37|>=11.0.0,<11.5.48|>=10.0.0,<10.4.54|>=9.0.0,<9.5.55
Reported by:
GitHub -
[MEDIUM] TYPO3 CMS uses insufficient entropy when generating passwords
PKSA-rwv7-ff55-f18g CVE-2025-59015 GHSA-p5jq-5383-qvc7
Affected version: >=13.0.0,<13.4.18|>=12.0.0,<12.4.37
Reported by:
GitHub -
[HIGH] TYPO3 Allows Privilege Escalation to System Maintainer
PKSA-2ssc-6m7w-s9xh CVE-2025-47940 GHSA-6frx-j292-c844
Affected version: >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.4.0,<=10.4.49
Reported by:
GitHub -
[MEDIUM] TYPO3 Allows Unrestricted File Upload in File Abstraction Layer
PKSA-q3vc-nbpk-d1gk CVE-2025-47939 GHSA-9hq9-cr36-4wpj
Affected version: >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.0.0,<=10.4.49|>=9.0.0,<=9.5.50
Reported by:
GitHub -
[LOW] TYPO3 Unverified Password Change for Backend Users
PKSA-6d7x-2gs8-wr59 CVE-2025-47938 GHSA-3jrg-97f3-rqh9
Affected version: >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.0.0,<=10.4.49|>=9.0.0,<=9.5.50
Reported by:
GitHub -
[LOW] TYPO3 Allows Information Disclosure via DBAL Restriction Handling
PKSA-b5m3-ttcx-cz18 CVE-2025-47937 GHSA-x8pv-fgxp-8v3x
Affected version: >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.0.0,<=10.4.49|>=9.0.0,<=9.5.50
Reported by:
GitHub -
[MEDIUM] TYPO3 Potential Open Redirect via Parsing Differences
PKSA-3gg2-48j5-46ky CVE-2024-55892 GHSA-2fx5-pggv-6jjr
Affected version: >=13.0.0,<=13.4.2|>=12.0.0,<=12.4.24|>=11.0.0,<=11.5.41|>=10.0.0,<=10.4.47|>=9.0.0,<=9.5.48
Reported by:
GitHub -
[MEDIUM] TYPO3 Cross-Site Scripting in Form Framework validation handling
PKSA-yj7d-v8zz-m6nq GHSA-95qm-3xp7-vfj5
Affected version: >=9.0.0,<9.5.12|>=8.0.0,<8.7.30|>=10.0.0,<10.2.1
Reported by:
GitHub -
[MEDIUM] TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController
PKSA-tm11-834c-1wbq CVE-2024-34358 GHSA-36g8-62qv-5957
Affected version: >=13.0.0,<=13.1.0|>=12.0.0,<=12.4.14|>=11.0.0,<=11.5.36|>=10.0.0,<=10.4.44|>=9.0.0,<=9.5.47
Reported by:
GitHub -
[MEDIUM] TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController
PKSA-443h-dk5w-qm2g CVE-2024-34357 GHSA-hw6c-6gwq-3m3m
Affected version: >=13.0.0,<=13.1.0|>=12.0.0,<=12.4.14|>=11.0.0,<=11.5.36|>=10.0.0,<=10.4.44|>=9.0.0,<=9.5.47
Reported by:
GitHub -
[MEDIUM] TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module
PKSA-8vkj-4d3h-x586 CVE-2024-34356 GHSA-v6mw-h7w6-59w3
Affected version: >=13.0.0,<=13.1.0|>=12.0.0,<=12.4.14|>=11.0.0,<=11.5.36|>=10.0.0,<=10.4.44|>=9.0.0,<=9.5.47
Reported by:
GitHub -
[LOW] TYPO3 vulnerable to an HTML Injection in the History Module
PKSA-7dr7-npxr-1nyj CVE-2024-34355 GHSA-xjwx-78x7-q6jc
Affected version: >=13.0.0,<=13.1.0
Reported by:
GitHub -
[HIGH] TYPO3 Install Tool vulnerable to Code Execution
PKSA-prgj-sgzn-q6cs CVE-2024-22188 GHSA-5w2h-59j3-8x5w
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[MEDIUM] Path Traversal in TYPO3 File Abstraction Layer Storages
PKSA-zz7z-6zsy-d2hc CVE-2023-30451 GHSA-w6x2-jg8h-p6mp
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[HIGH] TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler
PKSA-99mg-htb6-c272 CVE-2024-25121 GHSA-rj3x-wvc6-5j66
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[MEDIUM] TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme
PKSA-h5xk-8nxx-znp4 CVE-2024-25120 GHSA-wf85-8hx9-gj7c
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[MEDIUM] TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key
PKSA-d551-hdqh-5mmf CVE-2024-25119 GHSA-h47m-3f78-qp9g
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[MEDIUM] TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords
PKSA-jbhx-knzt-5y6m CVE-2024-25118 GHSA-38r2-5695-334w
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[MEDIUM] TYPO3-CORE-SA-2023-006: Weak Authentication in Session Handling
PKSA-jp7z-h3vv-yr4s CVE-2023-47127 GHSA-3vmm-7h4j-69rm
Affected version: >=8.0.0,<8.7.55|>=9.0.0,<9.5.44|>=10.0.0,<10.4.41|>=11.0.0,<11.5.33|>=12.0.0,<12.4.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] Information Disclosure due to Out-of-scope Site Resolution
PKSA-83hy-ynvj-7pfq CVE-2023-38499 GHSA-jq6g-4v5m-wm9r
Affected version: >=12.0.0,<12.4.4|>=11.0.0,<11.5.30|>=10.0.0,<10.4.39|>=9.4.0,<9.5.42
Reported by:
GitHub -
[HIGH] TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering
PKSA-vxw7-bfmg-pz5q CVE-2023-24814 GHSA-r4f8-f93x-5qh3
Affected version: >=10.0.0,<10.4.35|>=11.0.0,<11.5.23|>=12.0.0,<12.2.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer
PKSA-qbn4-sj3q-rvvx CVE-2022-23499
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration
PKSA-pdn3-qb24-bkw6 CVE-2022-23504 GHSA-8w3p-qh3x-6gjr
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework
PKSA-ccxj-fgkz-pynv CVE-2022-23503 GHSA-c5wx-6c2c-f7rm
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset
PKSA-3p3s-8w1v-x6b3 CVE-2022-23502 GHSA-mgj2-q8wp-29rr
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login
PKSA-hf6f-qcwd-7279 CVE-2022-23501 GHSA-jfp7-79g7-89rf
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling
PKSA-j3x1-dtrb-kbct CVE-2022-23500 GHSA-8c28-5mp7-v24h
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-006: Denial of Service in Page Error Handling
PKSA-p25q-9h89-q9b8 CVE-2022-36104 GHSA-fffr-7x4x-f98q
Affected version: >=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-011: By-passing Cross-Site Scripting Protection in HTML Sanitizer
PKSA-rwrz-v1bh-34yt CVE-2022-36020 GHSA-47m6-46mj-p235
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-010: Cross-Site Scripting in <f:asset.css> view helper
PKSA-wjjh-fbmt-t55w CVE-2022-36108 GHSA-fv2m-9249-qx85
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-009: Stored Cross-Site Scripting via FileDumpController
PKSA-wkgp-n44t-r1jh CVE-2022-36107 GHSA-9c6w-55cp-5w25
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-008: Missing check for expiration time of password reset token for backend users
PKSA-v1kb-vbr1-8fy1 CVE-2022-36106 GHSA-5959-4x58-r8c2
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-007: User Enumeration via Response Timing
PKSA-d4cy-7k8v-3wtm CVE-2022-36105 GHSA-m392-235j-9r7r
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool
PKSA-dnvg-71td-yz19 CVE-2022-31050 GHSA-wwjw-r3gj-39fq
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-004: Cross-Site Scripting in Frontend Login Mailer
PKSA-4kgv-d12j-68gk CVE-2022-31049 GHSA-h4mx-xv96-2jgm
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-003: Cross-Site Scripting in Form Framework
PKSA-dh2h-m334-x2dj CVE-2022-31048 GHSA-3r95-23jp-mhvg
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-002: Information Disclosure via Exception Handling/Logger
PKSA-sy4v-bxfk-mjjn CVE-2022-31047 GHSA-fh99-4pgr-8j99
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-001: Information Disclosure via Export Module
PKSA-1f5c-bp4y-tqft CVE-2022-31046 GHSA-8gmv-9hwg-w89g
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3 SQL injection vulnerability in the Extbase Framework
PKSA-bww2-xt9d-zd9m CVE-2013-1842 GHSA-m64j-j252-jxmr
Affected version: >=6.0.0,<6.0.3|>=4.7.0,<4.7.9|>=4.6.0,<4.6.17|>=4.5.0,<=4.5.23
Reported by:
GitHub -
[MEDIUM] TYPO3 Open redirect vulnerability in the Access tracking mechanism
PKSA-b1zy-bnzv-mr97 CVE-2013-1843 GHSA-7gxq-5qqc-v3fc
Affected version: >=6.0.0,<6.0.3|>=4.7.0,<4.7.9|>=4.6.0,<4.6.17|>=4.5.0,<4.5.24
Reported by:
GitHub -
[MEDIUM] TYPO3 is vulnerable to Mass Assignment in the Extension table administration library
PKSA-kwrd-d779-ytq1 CVE-2013-7080 GHSA-5fj8-wh3g-qvq2
Affected version: >=6.0.0,<6.0.11|>=4.6.0,<4.7.16|>=4.5.0,<4.5.31
Reported by:
GitHub -
[MEDIUM] TYPO3 Improper Access Control vulnerability
PKSA-645k-592v-1hn5 CVE-2013-7081 GHSA-r674-mc9p-hvw5
Affected version: >=6.1.0,<6.1.6|>=6.0.0,<6.0.11|>=4.7.0,<4.7.16|>=4.5.0,<4.5.31
Reported by:
GitHub -
[MEDIUM] TYPO3 Improper Access Management in the File Abstraction Layer
PKSA-hwwm-389j-p6f2 CVE-2013-4320 GHSA-p9jg-9w87-6rg4
Affected version: >=6.1,<6.1.4|>=6.0,<6.0.9
Reported by:
GitHub -
[MEDIUM] TYPO3 Sensitive Information Disclosure via escapeStrForLike method
PKSA-1gz3-81f5-ttyn CVE-2010-5104 GHSA-xgc2-q928-27wv
Affected version: >=4.4.0,<4.4.5|>=4.3.0,<4.3.9|>=4.2.0,<4.2.16
Reported by:
GitHub -
[LOW] TYPO3 Cross-site scripting (XSS) vulnerability in the Extbase Framework
PKSA-mcdh-s731-c8c7 CVE-2013-7078 GHSA-qj69-chjp-g4f5
Affected version: >=6.0.0,<6.0.11|>=6.1.0,<6.1.6|>=4.7.0,<4.7.16|>=4.5.0,<4.5.31
Reported by:
GitHub -
[MEDIUM] TYPO3 Cross-site scripting (XSS) vulnerability in the Backend User Administration Module
PKSA-7y51-jdq5-j3jz CVE-2013-7077 GHSA-5cmc-r23m-hvrr
Affected version: >=6.1,<6.1.7|>=6.0,<6.0.12
Reported by:
GitHub -
[MEDIUM] TYPO3 API function vulnerable to Cross-site Scripting
PKSA-536c-fstd-1vzp CVE-2009-3633 GHSA-m7rg-85g8-28m9
Affected version: >=4.3alpha1,<4.3beta2|>=4.2.0,<4.2.10|>=4.1.0,<4.1.13|<=4.0.13
Reported by:
GitHub -
[MEDIUM] TYPO3 Unrestricted File Upload vulnerability
PKSA-kpzq-776n-w7hy CVE-2008-2717 GHSA-f35p-hcwf-9f9f
Affected version: >=4.2.0,<4.2.1|>=4.1.0,<4.1.7|>=4.0.0,<4.0.9
Reported by:
GitHub -
[MEDIUM] TYPO3 is vulnerable to Information Disclosure in the HTML mailing API
PKSA-h3yp-gcbn-7gbt CVE-2010-3673 GHSA-5f2f-hr23-j59j
Affected version: >=4.4,<4.4.1|>=4.3,<4.3.4|<4.2.13
Reported by:
GitHub -
[MEDIUM] TYPO3-CORE-SA-2021-015: HTTP Host Header Injection in Request Handling
PKSA-ptbd-5fbp-bm32 CVE-2021-41114 GHSA-m2jh-fxw4-gphm
Affected version: >=11.0.0,<11.5.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2021-014: Cross-Site-Request-Forgery in Backend URI Handling
PKSA-146t-35pv-hv8w CVE-2021-41113 GHSA-657m-v5vm-f6rw
Affected version: >=11.2.0,<11.5.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-013: Cross-Site Scripting via Rich-Text Content
PKSA-gbv9-2d3q-gcts CVE-2021-32768 GHSA-c5c9-8c6m-727v
Affected version: >=10.0.0,<10.4.19|>=11.0.0,<11.3.2|>=9.0.0,<9.5.29
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-012: Information Disclosure in User Authentication
PKSA-rmrp-g3x4-sq5j CVE-2021-32767 GHSA-34fr-fhqr-7235
Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-011: Cross-Site Scripting in Backend Grid View
PKSA-1c5b-sjdg-7rc3 CVE-2021-32669 GHSA-rgcg-28xm-8mmw
Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator & Query View
PKSA-txkp-tzqy-rz72 CVE-2021-32668 GHSA-6mh3-j5r5-2379
Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-009: Cross-Site Scripting in Page Preview
PKSA-tpdb-shwd-489h CVE-2021-32667 GHSA-8mq9-fqv8-59wf
Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-007: Cross-Site Scripting in Content Preview
PKSA-hrdf-cmfs-zgg7 CVE-2021-21340 GHSA-fjh3-g8gq-9q92
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-004: Cross-Site Scripting in Form Framework
PKSA-h6n8-zzc6-1djm CVE-2021-21358 GHSA-x79j-wgqv-g8h2
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-008: Cross-Site Scripting in Content Preview
PKSA-wqbp-c8pr-qp5w CVE-2021-21370 GHSA-x7hc-x7fm-f7qh
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-006: Cleartext storage of session identifier
PKSA-k7qq-jvk9-4s56 CVE-2021-21339 GHSA-qx3w-4864-94ch
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-005: Denial of Service in Page Error Handling
PKSA-8svt-p3nh-mpwn CVE-2021-21359 GHSA-4p9g-qgx9-397p
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2021-003: Broken Access Control in Form Framework
PKSA-xg1n-zvqv-pswm CVE-2021-21357 GHSA-3vg7-jw9m-pc3f
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2021-002: Unrestricted File Upload in Form Framework
PKSA-nxc9-3rpx-fj8p CVE-2021-21355 GHSA-2r6j-862c-m2v2
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-001: Open Redirection in Login Handling
PKSA-bmvt-8jd1-qp5w CVE-2021-21338 GHSA-4jhw-2p6j-5wmp
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] TYPO3-CORE-SA-2020-012: XML External Entity in Dashboard Widget
PKSA-5b2v-fk9x-ph9d CVE-2020-26229 GHSA-q9cp-mc96-m4w2
Affected version: >=10.0.0,<10.4.10
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-011: Cleartext storage of session identifier
PKSA-cqmn-5jhg-hqxx CVE-2020-26228 GHSA-954j-f27r-cj52
Affected version: >=10.0.0,<10.4.10|>=9.0.0,<9.5.23|>=8.7.0,<8.7.38
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2020-010: Cross-Site Scripting in Fluid view helpers
PKSA-2ynr-pyxr-sckk CVE-2020-26227 GHSA-vqqx-jw6p-q3rf
Affected version: >=10.0.0,<10.4.10|>=9.0.0,<9.5.23|>=8.7.0,<8.7.38
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure
PKSA-d1gc-jvn6-g46m CVE-2020-15098 GHSA-m5vr-3m74-jwxp
Affected version: >=10.0.0,<10.4.6|>=9.0.0,<9.5.20
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-007: Potential Privilege Escalation
PKSA-kzft-dxcq-xwfm CVE-2020-15099 GHSA-3x94-fv5h-5q2c
Affected version: >=10.0.0,<10.4.6|>=9.0.0,<9.5.20
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset
PKSA-mzh3-fprn-psqp CVE-2020-11063 GHSA-347x-877p-hcwx
Affected version: >=10.0.0,<10.4.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface
PKSA-ttpr-h5zy-14x1 CVE-2020-11069 GHSA-pqg8-crx9-g8m4
Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings
PKSA-769c-kbh8-sdc8 CVE-2020-11067 GHSA-2wj9-434x-9hvp
Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized
PKSA-sy5h-2rr8-prnp CVE-2020-11066 GHSA-2rxh-h6h9-qrqc
Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling
PKSA-8qyp-kq69-8m7s CVE-2020-11065 GHSA-4j77-gg36-9864
Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine
PKSA-k1cr-xs53-x3zz CVE-2020-11064 GHSA-43gj-mj2w-wh46
Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Insecure Deserialization in Query Generator & Query View
PKSA-2xbd-k6f8-vc7m CVE-2019-19849 GHSA-rcgc-4xfc-564v
Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SQL Injection in low-level Query Generator
PKSA-gt1g-9dsw-fhqp CVE-2019-19850 GHSA-59pj-7mjh-4465
Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Directory Traversal on ZIP extraction
PKSA-jydd-ptqz-cc3y CVE-2019-19848 GHSA-77p4-wfr8-977w
Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Cross-Site Scripting in Form Framework validation handling
PKSA-4jxn-z7kk-hs67 GHSA-rxc9-f2x6-qh4w
Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Cross-Site Scripting in Link Handling
PKSA-138z-v62j-p84r GHSA-4459-qrcc-vfcf
Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Possible Insecure Deserialization in Extbase Request Handling
PKSA-ngtt-95zk-116b GHSA-f9hr-7cfq-mjg2
Affected version: >=8.0.0,<8.7.30|>=9.0.0,<9.5.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Cross-Site Scripting in Filelist Module
PKSA-kgft-67y3-84tv GHSA-82vp-jr39-4j2j
Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Possible deserialization side-effects in symfony/cache
PKSA-t9b1-2gtq-zpcq CVE-2019-10912 GHSA-w2fr-65vp-mxw3
Affected version: >=9.0.0,<9.5.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Insecure Deserialization in TYPO3 CMS
PKSA-s5jg-xrdb-kcbj CVE-2019-12747 GHSA-86hp-xrhj-fhpq
Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Cross-Site Scripting in Link Handling
PKSA-v9y4-y7z6-sjjg CVE-2019-12748 GHSA-r6fv-56gp-j3r4
Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Security Misconfiguration in Frontend Session Handling
PKSA-tdw8-rcwc-259v GHSA-45wj-jv2h-jwrf
Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Broken Access Control in Import Module
PKSA-rfsn-q422-vhgz GHSA-g4c9-qfvw-fmr4
Affected version: >=9.0.0,<9.5.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Arbitrary Code Execution and Cross-Site Scripting in Backend API
PKSA-f5jr-dg29-ng7s GHSA-22q7-cg4r-p9mx
Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Information Disclosure in Backend User Interface
PKSA-xxc6-f4fc-bhvm GHSA-5h5v-m596-r6rf
Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Possible Arbitrary Code Execution in Image Processing
PKSA-zhxh-zqgh-5btz CVE-2019-11832 GHSA-3w4h-r27h-4r2w
Affected version: >=8.0.0,<8.7.25|>=9.0.0,<9.5.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Cross-Site Scripting in Fluid Engine
PKSA-1rbp-fbhh-b1cd CVE-2020-15241 GHSA-7733-hjv6-4h47
Affected version: >=8.0.0,<8.7.25|>=9.0.0,<9.5.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Information Disclosure in User Authentication
PKSA-6bzd-gjbs-96f6 GHSA-gqqf-g5r7-84vf
Affected version: >=9.0.0,<9.5.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Information Disclosure in Page Tree
PKSA-39st-t16f-w2cm GHSA-wj85-rg5g-v8jm
Affected version: >=9.0.0,<9.5.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Security Misconfiguration in User Session Handling
PKSA-44gr-w8s1-1nzt GHSA-g776-759r-pf6x
Affected version: >=8.0.0,<8.7.25|>=9.0.0,<9.5.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Cross-Site Scripting in Bootstrap CSS toolkit
PKSA-6rbt-6s1d-gvry CVE-2018-14041 GHSA-pj7m-g53m-7638
Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] Arbitrary Code Execution via File List Module
PKSA-fnjs-nj4b-mz65 GHSA-cc97-g92w-jm65
Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Cross-Site Scripting in Language Pack Handling
PKSA-zmbz-zt2r-qk52 GHSA-96jg-pmc4-cx39
Affected version: >=9.0.0,<9.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Security Misconfiguration for Backend User Accounts
PKSA-jktp-yswk-rrww GHSA-hjx5-v9xg-7h25
Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Broken Access Control in Localization Handling
PKSA-xy95-nkpr-w5rm GHSA-xmgr-jff3-fcfv
Affected version: >=8.0.0,<8.7.23
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Information Disclosure of Installed Extensions
PKSA-t2bp-d8b3-sc74 GHSA-p2h4-7fp3-cmh8
Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Cross-Site Scripting in Form Framework
PKSA-3886-d5zt-qwrh GHSA-rv8r-8mh5-5376
Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Cross-Site Scripting in Fluid ViewHelpers
PKSA-ctc9-m9tc-zx87 GHSA-6xwf-7rfm-4gwc
Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Cross-Site Scripting in CKEditor
PKSA-5y7r-7h1g-qrym CVE-2018-17960 GHSA-g68x-vvqq-pvw3
Affected version: >=8.0.0,<8.7.21|>=9.0.0,<9.5.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Information Disclosure in Install Tool
PKSA-sntp-fryn-mxq8 GHSA-wg8h-gxf4-g4gh
Affected version: >=8.0.0,<8.7.21|>=9.0.0,<9.5.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Denial of Service in Online Media Asset Handling
PKSA-rvt7-wnc1-w2gd GHSA-8c25-vj2w-p72j
Affected version: >=8.0.0,<8.7.21|>=9.0.0,<9.5.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Cross-Site Scripting in Online Media Asset Rendering
PKSA-qszd-7zv5-3hkx GHSA-66c2-7g4p-wx4p
Affected version: >=8.0.0,<8.7.21|>=9.0.0,<9.5.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Cross-Site Scripting in Backend Modal Component
PKSA-yzt1-7625-ng3j GHSA-ppvg-hw62-6ph9
Affected version: >=8.0.0,<8.7.21|>=9.0.0,<9.5.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Denial of Service in Frontend Record Registration
PKSA-q5ym-2n81-pfr3 GHSA-29m4-mx89-3mjg
Affected version: >=8.0.0,<8.7.21
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Security Misconfiguration in Install Tool Cookie
PKSA-2q76-3mvw-8hk3 GHSA-9rx9-7fmh-gj3g
Affected version: >=8.0.0,<8.7.21|>=9.0.0,<9.5.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Cross-Site Scripting in Frontend User Login
PKSA-8d3v-z4d4-n11g GHSA-x428-565f-8xj2
Affected version: >=8.0.0,<8.7.21|>=9.0.0,<9.5.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Insecure Deserialization in TYPO3 CMS
PKSA-nx6h-6z7h-64pg GHSA-x4rj-f7m6-42c3
Affected version: >=8.5.0,<8.7.17|>=9.0.0,<9.3.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Privilege Escalation & SQL Injection in TYPO3 CMS
PKSA-jndc-1hrg-s597 GHSA-76r3-m635-p3vc
Affected version: >=8.5.0,<8.7.17|>=9.0.0,<9.3.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS
PKSA-53xp-pxrc-sbvb GHSA-wvvp-jwf5-qcpc
Affected version: >=8.0.0,<8.7.17|>=9.0.0,<9.3.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Authentication Bypass in TYPO3 CMS
PKSA-f4p7-n9ff-b1y3 GHSA-4ppr-jw47-9qm5
Affected version: >=8.0.0,<8.7.17|>=9.0.0,<9.3.2
Reported by:
GitHub, FriendsOfPHP/security-advisories