Vulnerabilities > Typo3 > Typo3
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-08 | CVE-2020-15241 | Cross-site Scripting vulnerability in Typo3 Fluid Engine and Typo3 TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. | 4.3 |
| 2020-07-29 | CVE-2020-15099 | Improper Input Validation vulnerability in Typo3 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. | 6.8 |
| 2020-07-29 | CVE-2020-15098 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Typo3 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. | 6.5 |
| 2020-05-14 | CVE-2020-11069 | Unspecified vulnerability in Typo3 In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. network typo3 | 6.8 |
| 2020-05-14 | CVE-2020-11067 | Deserialization of Untrusted Data vulnerability in Typo3 In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. | 6.0 |
| 2020-05-14 | CVE-2020-11066 | Unspecified vulnerability in Typo3 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. | 10.0 |
| 2020-05-13 | CVE-2020-11065 | Cross-site Scripting vulnerability in Typo3 In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly. | 3.5 |
| 2020-05-13 | CVE-2020-11064 | Cross-site Scripting vulnerability in Typo3 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. | 3.5 |
| 2020-05-13 | CVE-2020-11063 | Information Exposure Through Discrepancy vulnerability in Typo3 10.4.0/10.4.1 In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. | 4.3 |
| 2020-01-27 | CVE-2020-8091 | Cross-site Scripting vulnerability in Typo3 svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. | 4.3 |