Security Advisories - typo3/cms

typo3/cms Security Advisories for 8.0.1 (51)

[HIGH] TYPO3 Arbitrary Code Execution

PKSA-pt33-g1gs-b8wt CVE-2017-14251 GHSA-fh4q-hxrw-cjqq

Affected version: >=8.0.0,<8.7.5|>=7.6.0,<7.6.22

Reported by:
GitHub
[MEDIUM] Typo3 XSS Vulnerability

PKSA-j487-wgb6-g37w CVE-2018-6905 GHSA-3w22-wrwx-2r75

Affected version: <9.2.0

Reported by:
GitHub
[HIGH] Insecure Deserialization in Query Generator & Query View

PKSA-fyxc-qkr6-f3ry CVE-2019-19849 GHSA-rcgc-4xfc-564v

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] SQL Injection in low-level Query Generator

PKSA-8qsb-zpqf-kwq2 CVE-2019-19850 GHSA-59pj-7mjh-4465

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Directory Traversal on ZIP extraction

PKSA-187n-yk48-q1fv CVE-2019-19848 GHSA-77p4-wfr8-977w

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Form Framework validation handling

PKSA-mk73-2ss9-7t3h GHSA-v5jp-4h2p-j2p4

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Link Handling

PKSA-mgq1-q3nx-4qhb GHSA-5gr6-97fv-52cc

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Possible Insecure Deserialization in Extbase Request Handling

PKSA-7wb5-3v3w-d2zd GHSA-qr5f-6fcv-w69q

Affected version: >=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Filelist Module

PKSA-jfwm-f2y6-dfw3 GHSA-2rcw-9hrm-8q7q

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Insecure Deserialization in TYPO3 CMS

PKSA-bz6f-yjw4-93sv CVE-2019-12747 GHSA-86hp-xrhj-fhpq

Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Link Handling

PKSA-shfj-qhnv-r9fs CVE-2019-12748 GHSA-r6fv-56gp-j3r4

Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Security Misconfiguration in Frontend Session Handling

PKSA-s18m-y85n-1v87 GHSA-r9vc-jfmh-6j48

Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Arbitrary Code Execution and Cross-Site Scripting in Backend API

PKSA-5tf7-6x9k-c3q3 GHSA-mh3r-6cp5-hc2j

Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Information Disclosure in Backend User Interface

PKSA-vnc3-kwhr-kmwj GHSA-8m6j-p5jv-v69w

Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Possible Arbitrary Code Execution in Image Processing

PKSA-k6fx-zsn9-8q9f CVE-2019-11832 GHSA-3w4h-r27h-4r2w

Affected version: >=8.0.0,<8.7.25|>=9.0.0,<9.5.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Fluid Engine

PKSA-dmbp-4kzv-9s4r CVE-2020-15241 GHSA-7733-hjv6-4h47

Affected version: >=8.0.0,<8.7.25|>=9.0.0,<9.5.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Security Misconfiguration in User Session Handling

PKSA-r81x-w89x-1vq9 GHSA-g585-crjf-vhwq

Affected version: >=8.0.0,<8.7.25|>=9.0.0,<9.5.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Bootstrap CSS toolkit

PKSA-ww37-6vs7-z8br CVE-2018-14041 GHSA-pj7m-g53m-7638

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Arbitrary Code Execution via File List Module

PKSA-5bn3-rb6y-yskr GHSA-jqr8-q455-xx45

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Security Misconfiguration for Backend User Accounts

PKSA-vzzk-7qkd-5r89 GHSA-67wg-6j7r-mqh8

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Broken Access Control in Localization Handling

PKSA-1g5v-h1gj-cdpx GHSA-m96r-7vqm-j95g

Affected version: >=8.0.0,<8.7.23

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Information Disclosure of Installed Extensions

PKSA-5v3b-yhjz-2p8k GHSA-xgmx-j3hv-jh9x

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Form Framework

PKSA-1gbs-82ww-81jy GHSA-7q33-hxwj-7p8v

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Fluid ViewHelpers

PKSA-x7y9-5n9c-2k2x GHSA-f3wf-q4fj-3gxf

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in CKEditor

PKSA-qmq7-q129-2wts CVE-2018-17960 GHSA-g68x-vvqq-pvw3

Affected version: >=8.0.0,<8.7.21|>=9.0.0,<9.5.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Information Disclosure in Install Tool

PKSA-t1pf-cbfj-xyc5 GHSA-75mx-chcf-2q32

Affected version: >=7.0.0,<7.6.32|>=8.0.0,<8.7.21|>=9.0.0,<9.5.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Denial of Service in Online Media Asset Handling

PKSA-41jf-hqcz-2mxn GHSA-9895-53fc-98v2

Affected version: >=7.0.0,<7.6.32|>=8.0.0,<8.7.21|>=9.0.0,<9.5.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Online Media Asset Rendering

PKSA-94ws-swjq-dm6m GHSA-3jxq-5xhh-9jr3

Affected version: >=7.0.0,<7.6.32|>=8.0.0,<8.7.21|>=9.0.0,<9.5.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Backend Modal Component

PKSA-qzm7-ztqf-vx98 GHSA-86r8-4g3w-7xjp

Affected version: >=7.0.0,<7.6.32|>=8.0.0,<8.7.21|>=9.0.0,<9.5.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Denial of Service in Frontend Record Registration

PKSA-6wyc-z3gy-thx1 GHSA-g46h-v2cc-6c94

Affected version: >=7.0.0,<7.6.32|>=8.0.0,<8.7.21

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Security Misconfiguration in Install Tool Cookie

PKSA-99fq-1t5c-yckv GHSA-ppgf-8745-8pgx

Affected version: >=7.0.0,<7.6.32|>=8.0.0,<8.7.21|>=9.0.0,<9.5.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Frontend User Login

PKSA-j1v4-rzqw-fkx7 GHSA-772m-43f3-hmf8

Affected version: >=7.0.0,<7.6.32|>=8.0.0,<8.7.21|>=9.0.0,<9.5.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS

PKSA-z3s2-rzbm-sz8q GHSA-f5rr-9r84-wwqf

Affected version: >=7.0.0,<7.6.30|>=8.0.0,<8.7.17|>=9.0.0,<9.3.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Authentication Bypass in TYPO3 CMS

PKSA-b9qm-1gk1-gg53 GHSA-f777-f784-36gm

Affected version: >=7.0.0,<7.6.30|>=8.0.0,<8.7.17|>=9.0.0,<9.3.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Information Disclosure in TYPO3 CMS

PKSA-mnvr-nmxv-xndp GHSA-qffc-gwpp-m2xr

Affected version: >=7.6.0,<7.6.22|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.7.5

Reported by:
GitHub, FriendsOfPHP/security-advisories
[LOW] Information Disclosure in TYPO3 CMS

PKSA-k469-q3x3-m5wx GHSA-c7p6-3c9c-f88q

Affected version: >=7.6.0,<7.6.22|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.7.5

Reported by:
GitHub, FriendsOfPHP/security-advisories
[LOW] Arbitrary Code Execution in TYPO3 CMS

PKSA-ycd2-g5rr-5v84 GHSA-h934-f4m4-wc8x

Affected version: >=7.6.0,<7.6.22|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.7.5

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in TYPO3 CMS Backend

PKSA-ytg9-3z8d-xh45 GHSA-v8m4-3w37-ghxx

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.7.5

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in TYPO3 CMS

PKSA-v896-gj2z-rpdn GHSA-q9c4-9v5m-597p

Affected version: >=7.6.0,<7.6.16|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.6.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Remote Code Execution in third party library swiftmailer

PKSA-y99p-vnsv-h8zb GHSA-85ch-44w7-rf32

Affected version: >=6.2.0,<6.2.30|>=7.6.0,<7.6.15|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Insecure Unserialize in TYPO3 Backend

PKSA-p9pn-ckkr-j9gj GHSA-vgm8-r9gm-fw59

Affected version: >=6.2.0,<6.2.29|>=7.6.0,<7.6.13|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.4.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Path Traversal in TYPO3 Core

PKSA-ycv6-vk58-crph GHSA-g7hw-jh4p-75wr

Affected version: >=6.2.0,<6.2.29|>=7.6.0,<7.6.13|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.4.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Cache Flooding in TYPO3 Frontend

PKSA-5nxh-6dvz-pwx2 GHSA-8h28-f46f-m87h

Affected version: >=6.2.0,<6.2.27|>=7.6.0,<7.6.11|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.3.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in TYPO3 Backend

PKSA-p1xw-bm9t-9mgz GHSA-pw2q-qwvj-gh43

Affected version: >=6.2.0,<6.2.27|>=7.6.0,<7.6.11|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.3.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Environment Variable Injection

PKSA-xycg-n8fx-k2xm CVE-2016-5385 GHSA-m6ch-gg5f-wxx3

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Cross-Site Scripting vulnerability in typolinks

PKSA-qkq5-q75r-wn3g GHSA-7qwg-fcpw-xg5g

Affected version: >=6.2.0,<6.2.26|>=7.6.0,<7.6.10|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Information Disclosure in TYPO3 Backend

PKSA-q6zv-zcsh-21h8 GHSA-6f9m-v7mp-7jjq

Affected version: >=6.2.0,<6.2.26|>=7.6.0,<7.6.10|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in TYPO3 Backend

PKSA-h9f8-fcdd-y5cz GHSA-g9rv-6g56-65h8

Affected version: >=6.2.0,<6.2.26|>=7.6.0,<7.6.10|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in third party library mso/idna-convert

PKSA-7xg5-dg5x-pjsz GHSA-259v-xm34-p7fr

Affected version: >=7.6.0,<7.6.10|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Insecure Unserialize in TYPO3 Import/Export

PKSA-8qyh-77q4-9nh2 GHSA-8h4m-r4wm-xj7r

Affected version: >=6.2.0,<6.2.26|>=7.6.0,<7.6.10|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Missing Access Check in TYPO3 CMS

PKSA-6w93-8p38-vgt5 GHSA-f624-8hfq-5fh3

Affected version: >=6.2.0,<6.2.25|>=7.6.0,<7.6.8|>=8.0.0,<8.1.1|>=8.1.0,<8.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories

typo3/cms Security Advisories for 8.0.1 (51)

[HIGH] TYPO3 Arbitrary Code Execution

[MEDIUM] Typo3 XSS Vulnerability

[HIGH] Insecure Deserialization in Query Generator &amp; Query View

[MEDIUM] SQL Injection in low-level Query Generator

[MEDIUM] Directory Traversal on ZIP extraction

[MEDIUM] Cross-Site Scripting in Form Framework validation handling

[MEDIUM] Cross-Site Scripting in Link Handling

[MEDIUM] Possible Insecure Deserialization in Extbase Request Handling

[MEDIUM] Cross-Site Scripting in Filelist Module

[HIGH] Insecure Deserialization in TYPO3 CMS

[MEDIUM] Cross-Site Scripting in Link Handling

[HIGH] Security Misconfiguration in Frontend Session Handling

[MEDIUM] Arbitrary Code Execution and Cross-Site Scripting in Backend API

[MEDIUM] Information Disclosure in Backend User Interface

[HIGH] Possible Arbitrary Code Execution in Image Processing

[MEDIUM] Cross-Site Scripting in Fluid Engine

[HIGH] Security Misconfiguration in User Session Handling

[MEDIUM] Cross-Site Scripting in Bootstrap CSS toolkit

[MEDIUM] Arbitrary Code Execution via File List Module

[CRITICAL] Security Misconfiguration for Backend User Accounts

[MEDIUM] Broken Access Control in Localization Handling

[MEDIUM] Information Disclosure of Installed Extensions

[MEDIUM] Cross-Site Scripting in Form Framework

[MEDIUM] Cross-Site Scripting in Fluid ViewHelpers

[MEDIUM] Cross-Site Scripting in CKEditor

[MEDIUM] Information Disclosure in Install Tool

[HIGH] Denial of Service in Online Media Asset Handling

[MEDIUM] Cross-Site Scripting in Online Media Asset Rendering

[MEDIUM] Cross-Site Scripting in Backend Modal Component

[MEDIUM] Denial of Service in Frontend Record Registration

[HIGH] Security Misconfiguration in Install Tool Cookie

[MEDIUM] Cross-Site Scripting in Frontend User Login

[MEDIUM] Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS

[HIGH] Authentication Bypass in TYPO3 CMS

[HIGH] Information Disclosure in TYPO3 CMS

[LOW] Information Disclosure in TYPO3 CMS

[LOW] Arbitrary Code Execution in TYPO3 CMS

[MEDIUM] Cross-Site Scripting in TYPO3 CMS Backend

[MEDIUM] Cross-Site Scripting in TYPO3 CMS

[MEDIUM] Remote Code Execution in third party library swiftmailer

[MEDIUM] Insecure Unserialize in TYPO3 Backend

[MEDIUM] Path Traversal in TYPO3 Core

[HIGH] Cache Flooding in TYPO3 Frontend

[MEDIUM] Cross-Site Scripting in TYPO3 Backend

[HIGH] Environment Variable Injection

[HIGH] Cross-Site Scripting vulnerability in typolinks

[MEDIUM] Information Disclosure in TYPO3 Backend

[MEDIUM] Cross-Site Scripting in TYPO3 Backend

[MEDIUM] Cross-Site Scripting in third party library mso/idna-convert

[HIGH] Insecure Unserialize in TYPO3 Import/Export

[MEDIUM] Missing Access Check in TYPO3 CMS

[HIGH] Insecure Deserialization in Query Generator & Query View