Vulnerabilities > Typo3 > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-07-29 CVE-2020-15086 Unspecified vulnerability in Typo3 Mediace 7.6.2/7.6.3/7.6.4
In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums.
network
low complexity
typo3
critical
9.8
2020-05-14 CVE-2020-11066 Unspecified vulnerability in Typo3
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server.
network
low complexity
typo3
critical
10.0
2019-11-26 CVE-2011-3583 SQL Injection vulnerability in Typo3
It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability.
network
low complexity
typo3 CWE-89
critical
9.8
2019-11-06 CVE-2011-4628 Improper Authentication vulnerability in Typo3
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted request.
network
low complexity
typo3 CWE-287
critical
9.8
2019-05-09 CVE-2019-11831 Deserialization of Untrusted Data vulnerability in multiple products
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
network
low complexity
typo3 debian fedoraproject drupal joomla CWE-502
critical
9.8
2019-05-09 CVE-2019-11830 Deserialization of Untrusted Data vulnerability in Typo3 Pharstreamwrapper
PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.
network
low complexity
typo3 CWE-502
critical
9.8