Vulnerabilities > Typo3

DATE CVE VULNERABILITY TITLE RISK
2019-11-04 CVE-2010-3665 Cross-site Scripting vulnerability in Typo3
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the Extension Manager.
network
typo3 CWE-79
3.5
3.5
2019-11-04 CVE-2010-3664 Information Exposure vulnerability in Typo3
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.
network
low complexity
typo3 CWE-200
4.0
4.0
2019-11-04 CVE-2010-3663 Unrestricted Upload of File with Dangerous Type vulnerability in Typo3
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.
network
low complexity
typo3 CWE-434
6.5
6.5
2019-11-04 CVE-2010-3662 SQL Injection vulnerability in Typo3
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
network
low complexity
typo3 CWE-89
6.5
6.5
2019-11-01 CVE-2010-3661 Open Redirect vulnerability in Typo3
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.
network
typo3 CWE-601
5.8
5.8
2019-11-01 CVE-2010-3660 Cross-site Scripting vulnerability in Typo3
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.
network
typo3 CWE-79
3.5
3.5
2019-07-09 CVE-2019-12748 Cross-site Scripting vulnerability in Typo3
TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.
network
low complexity
typo3 CWE-79
6.1
6.1
2019-07-09 CVE-2019-12747 Deserialization of Untrusted Data vulnerability in Typo3
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.
network
low complexity
typo3 CWE-502
8.8
8.8
2019-05-09 CVE-2019-11832 Improper Input Validation vulnerability in Typo3
TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.
network
typo3 CWE-20
critical
 9.3
9.3
2019-05-09 CVE-2019-11831 Deserialization of Untrusted Data vulnerability in multiple products
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
network
low complexity
typo3 debian fedoraproject drupal joomla CWE-502
critical
 9.8
9.8