Security Advisories - typo3/cms

typo3/cms Security Advisories for v10.4.5 (35)

[HIGH] TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering

PKSA-2dds-jbmg-2pyg CVE-2023-24814 GHSA-r4f8-f93x-5qh3

Affected version: >=10.0.0,<10.4.35|>=11.0.0,<11.5.23|>=12.0.0,<12.2.0

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer

PKSA-836z-82j1-zt6j CVE-2022-23499 GHSA-hvwx-qh2h-xcfj

Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration

PKSA-72zd-w89p-dd55 CVE-2022-23504 GHSA-8w3p-qh3x-6gjr

Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework

PKSA-hnp1-st4h-rkt2 CVE-2022-23503 GHSA-c5wx-6c2c-f7rm

Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset

PKSA-cm5x-bvw7-z1ks CVE-2022-23502 GHSA-mgj2-q8wp-29rr

Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login

PKSA-sy8t-czj6-2rjr CVE-2022-23501 GHSA-jfp7-79g7-89rf

Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling

PKSA-wh51-qtyw-9mq5 CVE-2022-23500 GHSA-8c28-5mp7-v24h

Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-011: By-passing Cross-Site Scripting Protection in HTML Sanitizer

PKSA-hkkc-nfmp-dqpt CVE-2022-36020 GHSA-47m6-46mj-p235

Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-010: Cross-Site Scripting in <f:asset.css> view helper

PKSA-5bjw-symk-fz45 CVE-2022-36108 GHSA-fv2m-9249-qx85

Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-009: Stored Cross-Site Scripting via FileDumpController

PKSA-w21x-17n7-44qc CVE-2022-36107 GHSA-9c6w-55cp-5w25

Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-008: Missing check for expiration time of password reset token for backend users

PKSA-z12b-qvn6-4p12 CVE-2022-36106 GHSA-5959-4x58-r8c2

Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-007: User Enumeration via Response Timing

PKSA-rrh7-bw6s-dw97 CVE-2022-36105 GHSA-m392-235j-9r7r

Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool

PKSA-2hf7-8md4-q2c6 CVE-2022-31050 GHSA-wwjw-r3gj-39fq

Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-004: Cross-Site Scripting in Frontend Login Mailer

PKSA-jm7x-1zf6-9kw1 CVE-2022-31049 GHSA-h4mx-xv96-2jgm

Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-003: Cross-Site Scripting in Form Framework

PKSA-tycc-kzzh-s3ry CVE-2022-31048 GHSA-3r95-23jp-mhvg

Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-002: Information Disclosure via Exception Handling/Logger

PKSA-jbmh-6415-zvcd CVE-2022-31047 GHSA-fh99-4pgr-8j99

Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2022-001: Information Disclosure via Export Module

PKSA-v8mc-t224-q36f CVE-2022-31046 GHSA-8gmv-9hwg-w89g

Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-013: Cross-Site Scripting via Rich-Text Content

PKSA-f5pt-5p3j-9w13 CVE-2021-32768 GHSA-c5c9-8c6m-727v

Affected version: >=10.0.0,<10.4.19|>=11.0.0,<11.3.2|>=9.0.0,<9.5.29

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-012: Information Disclosure in User Authentication

PKSA-166g-yc33-swnp CVE-2021-32767 GHSA-34fr-fhqr-7235

Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-011: Cross-Site Scripting in Backend Grid View

PKSA-z4fg-75ns-v363 CVE-2021-32669 GHSA-rgcg-28xm-8mmw

Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator & Query View

PKSA-vhss-cbdf-h9zf CVE-2021-32668 GHSA-6mh3-j5r5-2379

Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-009: Cross-Site Scripting in Page Preview

PKSA-wk8d-zxk8-8xqc CVE-2021-32667 GHSA-8mq9-fqv8-59wf

Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-007: Cross-Site Scripting in Content Preview

PKSA-3cnr-vxft-4f7f CVE-2021-21340 GHSA-fjh3-g8gq-9q92

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-004: Cross-Site Scripting in Form Framework

PKSA-mzcd-fpv2-vf7h CVE-2021-21358 GHSA-x79j-wgqv-g8h2

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-008: Cross-Site Scripting in Content Preview

PKSA-txbn-cfcc-9zgj CVE-2021-21370 GHSA-x7hc-x7fm-f7qh

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-006: Cleartext storage of session identifier

PKSA-6rj9-2kkd-njb3 CVE-2021-21339 GHSA-qx3w-4864-94ch

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-005: Denial of Service in Page Error Handling

PKSA-g918-9bjy-w911 CVE-2021-21359 GHSA-4p9g-qgx9-397p

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2021-003: Broken Access Control in Form Framework

PKSA-wd9s-13sq-wnby CVE-2021-21357 GHSA-3vg7-jw9m-pc3f

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2021-002: Unrestricted File Upload in Form Framework

PKSA-3jwm-rpgc-y2bh CVE-2021-21355 GHSA-2r6j-862c-m2v2

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-001: Open Redirection in Login Handling

PKSA-4pvk-bqg1-qyqj CVE-2021-21338 GHSA-4jhw-2p6j-5wmp

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[LOW] TYPO3-CORE-SA-2020-012: XML External Entity in Dashboard Widget

PKSA-6tyw-2n11-ssbd CVE-2020-26229 GHSA-q9cp-mc96-m4w2

Affected version: >=10.0.0,<10.4.10

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2020-011: Cleartext storage of session identifier

PKSA-tb1c-8bnf-mvmf CVE-2020-26228 GHSA-954j-f27r-cj52

Affected version: >=10.0.0,<10.4.10|>=9.0.0,<9.5.23|>=8.7.0,<8.7.38

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2020-010: Cross-Site Scripting in Fluid view helpers

PKSA-7sv8-gd3z-zptc CVE-2020-26227 GHSA-vqqx-jw6p-q3rf

Affected version: >=10.0.0,<10.4.10|>=9.0.0,<9.5.23|>=8.7.0,<8.7.38

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure

PKSA-89kh-571y-53vr CVE-2020-15098 GHSA-m5vr-3m74-jwxp

Affected version: >=10.0.0,<10.4.6|>=9.0.0,<9.5.20

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2020-007: Potential Privilege Escalation

PKSA-bvhz-zjdr-rz23 CVE-2020-15099 GHSA-3x94-fv5h-5q2c

Affected version: >=10.0.0,<10.4.6|>=9.0.0,<9.5.20

Reported by:
GitHub, FriendsOfPHP/security-advisories

typo3/cms Security Advisories for v10.4.5 (35)

[HIGH] TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering

[MEDIUM] TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer

[MEDIUM] TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration

[HIGH] TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework

[MEDIUM] TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset

[MEDIUM] TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login

[MEDIUM] TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling

[MEDIUM] TYPO3-CORE-SA-2022-011: By-passing Cross-Site Scripting Protection in HTML Sanitizer

[MEDIUM] TYPO3-CORE-SA-2022-010: Cross-Site Scripting in <f:asset.css> view helper

[MEDIUM] TYPO3-CORE-SA-2022-009: Stored Cross-Site Scripting via FileDumpController

[MEDIUM] TYPO3-CORE-SA-2022-008: Missing check for expiration time of password reset token for backend users

[MEDIUM] TYPO3-CORE-SA-2022-007: User Enumeration via Response Timing

[MEDIUM] TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool

[MEDIUM] TYPO3-CORE-SA-2022-004: Cross-Site Scripting in Frontend Login Mailer

[MEDIUM] TYPO3-CORE-SA-2022-003: Cross-Site Scripting in Form Framework

[MEDIUM] TYPO3-CORE-SA-2022-002: Information Disclosure via Exception Handling/Logger

[MEDIUM] TYPO3-CORE-SA-2022-001: Information Disclosure via Export Module

[MEDIUM] TYPO3-CORE-SA-2021-013: Cross-Site Scripting via Rich-Text Content

[MEDIUM] TYPO3-CORE-SA-2021-012: Information Disclosure in User Authentication

[MEDIUM] TYPO3-CORE-SA-2021-011: Cross-Site Scripting in Backend Grid View

[MEDIUM] TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator &amp; Query View

[MEDIUM] TYPO3-CORE-SA-2021-009: Cross-Site Scripting in Page Preview

[MEDIUM] TYPO3-CORE-SA-2021-007: Cross-Site Scripting in Content Preview

[MEDIUM] TYPO3-CORE-SA-2021-004: Cross-Site Scripting in Form Framework

[MEDIUM] TYPO3-CORE-SA-2021-008: Cross-Site Scripting in Content Preview

[MEDIUM] TYPO3-CORE-SA-2021-006: Cleartext storage of session identifier

[MEDIUM] TYPO3-CORE-SA-2021-005: Denial of Service in Page Error Handling

[HIGH] TYPO3-CORE-SA-2021-003: Broken Access Control in Form Framework

[HIGH] TYPO3-CORE-SA-2021-002: Unrestricted File Upload in Form Framework

[MEDIUM] TYPO3-CORE-SA-2021-001: Open Redirection in Login Handling

[LOW] TYPO3-CORE-SA-2020-012: XML External Entity in Dashboard Widget

[HIGH] TYPO3-CORE-SA-2020-011: Cleartext storage of session identifier

[MEDIUM] TYPO3-CORE-SA-2020-010: Cross-Site Scripting in Fluid view helpers

[HIGH] TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure

[HIGH] TYPO3-CORE-SA-2020-007: Potential Privilege Escalation

[MEDIUM] TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator & Query View