Security Advisories - typo3/cms

typo3/cms Security Advisories for v9.5.3 (46)

[MEDIUM] TYPO3-CORE-SA-2021-013: Cross-Site Scripting via Rich-Text Content

PKSA-f5pt-5p3j-9w13 CVE-2021-32768 GHSA-c5c9-8c6m-727v

Affected version: >=10.0.0,<10.4.19|>=11.0.0,<11.3.2|>=9.0.0,<9.5.29

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-012: Information Disclosure in User Authentication

PKSA-166g-yc33-swnp CVE-2021-32767 GHSA-34fr-fhqr-7235

Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-011: Cross-Site Scripting in Backend Grid View

PKSA-z4fg-75ns-v363 CVE-2021-32669 GHSA-rgcg-28xm-8mmw

Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator & Query View

PKSA-vhss-cbdf-h9zf CVE-2021-32668 GHSA-6mh3-j5r5-2379

Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-009: Cross-Site Scripting in Page Preview

PKSA-wk8d-zxk8-8xqc CVE-2021-32667 GHSA-8mq9-fqv8-59wf

Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-008: Cross-Site Scripting in Content Preview

PKSA-txbn-cfcc-9zgj CVE-2021-21370 GHSA-x7hc-x7fm-f7qh

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-006: Cleartext storage of session identifier

PKSA-6rj9-2kkd-njb3 CVE-2021-21339 GHSA-qx3w-4864-94ch

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-005: Denial of Service in Page Error Handling

PKSA-g918-9bjy-w911 CVE-2021-21359 GHSA-4p9g-qgx9-397p

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2021-003: Broken Access Control in Form Framework

PKSA-wd9s-13sq-wnby CVE-2021-21357 GHSA-3vg7-jw9m-pc3f

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2021-002: Unrestricted File Upload in Form Framework

PKSA-3jwm-rpgc-y2bh CVE-2021-21355 GHSA-2r6j-862c-m2v2

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2021-001: Open Redirection in Login Handling

PKSA-4pvk-bqg1-qyqj CVE-2021-21338 GHSA-4jhw-2p6j-5wmp

Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2020-011: Cleartext storage of session identifier

PKSA-tb1c-8bnf-mvmf CVE-2020-26228 GHSA-954j-f27r-cj52

Affected version: >=10.0.0,<10.4.10|>=9.0.0,<9.5.23|>=8.7.0,<8.7.38

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2020-010: Cross-Site Scripting in Fluid view helpers

PKSA-7sv8-gd3z-zptc CVE-2020-26227 GHSA-vqqx-jw6p-q3rf

Affected version: >=10.0.0,<10.4.10|>=9.0.0,<9.5.23|>=8.7.0,<8.7.38

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure

PKSA-89kh-571y-53vr CVE-2020-15098 GHSA-m5vr-3m74-jwxp

Affected version: >=10.0.0,<10.4.6|>=9.0.0,<9.5.20

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2020-007: Potential Privilege Escalation

PKSA-bvhz-zjdr-rz23 CVE-2020-15099 GHSA-3x94-fv5h-5q2c

Affected version: >=10.0.0,<10.4.6|>=9.0.0,<9.5.20

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface

PKSA-vncq-mbcp-6vyd CVE-2020-11069 GHSA-pqg8-crx9-g8m4

Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings

PKSA-dxxk-hc9h-1z3f CVE-2020-11067 GHSA-2wj9-434x-9hvp

Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized

PKSA-ss2r-276b-st5d CVE-2020-11066 GHSA-2rxh-h6h9-qrqc

Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling

PKSA-fzgc-n67f-tpd3 CVE-2020-11065 GHSA-4j77-gg36-9864

Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine

PKSA-fpbs-1vv7-3m1y CVE-2020-11064 GHSA-43gj-mj2w-wh46

Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Insecure Deserialization in Query Generator & Query View

PKSA-fyxc-qkr6-f3ry CVE-2019-19849 GHSA-rcgc-4xfc-564v

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] SQL Injection in low-level Query Generator

PKSA-8qsb-zpqf-kwq2 CVE-2019-19850 GHSA-59pj-7mjh-4465

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Directory Traversal on ZIP extraction

PKSA-187n-yk48-q1fv CVE-2019-19848 GHSA-77p4-wfr8-977w

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Form Framework validation handling

PKSA-mk73-2ss9-7t3h GHSA-v5jp-4h2p-j2p4

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Link Handling

PKSA-mgq1-q3nx-4qhb GHSA-5gr6-97fv-52cc

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Possible Insecure Deserialization in Extbase Request Handling

PKSA-7wb5-3v3w-d2zd GHSA-qr5f-6fcv-w69q

Affected version: >=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Filelist Module

PKSA-jfwm-f2y6-dfw3 GHSA-2rcw-9hrm-8q7q

Affected version: >=10.0.0,<10.2.1|>=8.0.0,<8.7.30|>=9.0.0,<9.5.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Possible deserialization side-effects in symfony/cache

PKSA-qvvz-qgnj-hhv9 CVE-2019-10912 GHSA-w2fr-65vp-mxw3

Affected version: >=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Insecure Deserialization in TYPO3 CMS

PKSA-bz6f-yjw4-93sv CVE-2019-12747 GHSA-86hp-xrhj-fhpq

Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Link Handling

PKSA-shfj-qhnv-r9fs CVE-2019-12748 GHSA-r6fv-56gp-j3r4

Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Security Misconfiguration in Frontend Session Handling

PKSA-s18m-y85n-1v87 GHSA-r9vc-jfmh-6j48

Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Broken Access Control in Import Module

PKSA-sbk1-m9m1-226k GHSA-6fc6-cj2j-h22x

Affected version: >=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Arbitrary Code Execution and Cross-Site Scripting in Backend API

PKSA-5tf7-6x9k-c3q3 GHSA-mh3r-6cp5-hc2j

Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Information Disclosure in Backend User Interface

PKSA-vnc3-kwhr-kmwj GHSA-8m6j-p5jv-v69w

Affected version: >=8.0.0,<8.7.27|>=9.0.0,<9.5.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Possible Arbitrary Code Execution in Image Processing

PKSA-k6fx-zsn9-8q9f CVE-2019-11832 GHSA-3w4h-r27h-4r2w

Affected version: >=8.0.0,<8.7.25|>=9.0.0,<9.5.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Fluid Engine

PKSA-dmbp-4kzv-9s4r CVE-2020-15241 GHSA-7733-hjv6-4h47

Affected version: >=8.0.0,<8.7.25|>=9.0.0,<9.5.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Information Disclosure in User Authentication

PKSA-42st-jf9j-4xyr GHSA-45xg-4w5x-j429

Affected version: >=9.0.0,<9.5.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Information Disclosure in Page Tree

PKSA-rjjk-45pj-2wfd GHSA-hh95-5xm5-v8v7

Affected version: >=9.0.0,<9.5.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Security Misconfiguration in User Session Handling

PKSA-r81x-w89x-1vq9 GHSA-g585-crjf-vhwq

Affected version: >=8.0.0,<8.7.25|>=9.0.0,<9.5.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Bootstrap CSS toolkit

PKSA-ww37-6vs7-z8br CVE-2018-14041 GHSA-pj7m-g53m-7638

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Arbitrary Code Execution via File List Module

PKSA-5bn3-rb6y-yskr GHSA-jqr8-q455-xx45

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Language Pack Handling

PKSA-n1qf-pfk3-6gdz GHSA-5j86-5xvg-7q93

Affected version: >=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Security Misconfiguration for Backend User Accounts

PKSA-vzzk-7qkd-5r89 GHSA-67wg-6j7r-mqh8

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Information Disclosure of Installed Extensions

PKSA-5v3b-yhjz-2p8k GHSA-xgmx-j3hv-jh9x

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Form Framework

PKSA-1gbs-82ww-81jy GHSA-7q33-hxwj-7p8v

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-Site Scripting in Fluid ViewHelpers

PKSA-x7y9-5n9c-2k2x GHSA-f3wf-q4fj-3gxf

Affected version: >=8.0.0,<8.7.23|>=9.0.0,<9.5.4

Reported by:
GitHub, FriendsOfPHP/security-advisories

typo3/cms Security Advisories for v9.5.3 (46)

[MEDIUM] TYPO3-CORE-SA-2021-013: Cross-Site Scripting via Rich-Text Content

[MEDIUM] TYPO3-CORE-SA-2021-012: Information Disclosure in User Authentication

[MEDIUM] TYPO3-CORE-SA-2021-011: Cross-Site Scripting in Backend Grid View

[MEDIUM] TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator &amp; Query View

[MEDIUM] TYPO3-CORE-SA-2021-009: Cross-Site Scripting in Page Preview

[MEDIUM] TYPO3-CORE-SA-2021-008: Cross-Site Scripting in Content Preview

[MEDIUM] TYPO3-CORE-SA-2021-006: Cleartext storage of session identifier

[MEDIUM] TYPO3-CORE-SA-2021-005: Denial of Service in Page Error Handling

[HIGH] TYPO3-CORE-SA-2021-003: Broken Access Control in Form Framework

[HIGH] TYPO3-CORE-SA-2021-002: Unrestricted File Upload in Form Framework

[MEDIUM] TYPO3-CORE-SA-2021-001: Open Redirection in Login Handling

[HIGH] TYPO3-CORE-SA-2020-011: Cleartext storage of session identifier

[MEDIUM] TYPO3-CORE-SA-2020-010: Cross-Site Scripting in Fluid view helpers

[HIGH] TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure

[HIGH] TYPO3-CORE-SA-2020-007: Potential Privilege Escalation

[HIGH] TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface

[HIGH] TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings

[HIGH] TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized

[MEDIUM] TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling

[MEDIUM] TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine

[HIGH] Insecure Deserialization in Query Generator &amp; Query View

[MEDIUM] SQL Injection in low-level Query Generator

[MEDIUM] Directory Traversal on ZIP extraction

[MEDIUM] Cross-Site Scripting in Form Framework validation handling

[MEDIUM] Cross-Site Scripting in Link Handling

[MEDIUM] Possible Insecure Deserialization in Extbase Request Handling

[MEDIUM] Cross-Site Scripting in Filelist Module

[HIGH] Possible deserialization side-effects in symfony/cache

[HIGH] Insecure Deserialization in TYPO3 CMS

[MEDIUM] Cross-Site Scripting in Link Handling

[HIGH] Security Misconfiguration in Frontend Session Handling

[MEDIUM] Broken Access Control in Import Module

[MEDIUM] Arbitrary Code Execution and Cross-Site Scripting in Backend API

[MEDIUM] Information Disclosure in Backend User Interface

[HIGH] Possible Arbitrary Code Execution in Image Processing

[MEDIUM] Cross-Site Scripting in Fluid Engine

[HIGH] Information Disclosure in User Authentication

[HIGH] Information Disclosure in Page Tree

[HIGH] Security Misconfiguration in User Session Handling

[MEDIUM] Cross-Site Scripting in Bootstrap CSS toolkit

[MEDIUM] Arbitrary Code Execution via File List Module

[MEDIUM] Cross-Site Scripting in Language Pack Handling

[CRITICAL] Security Misconfiguration for Backend User Accounts

[MEDIUM] Information Disclosure of Installed Extensions

[MEDIUM] Cross-Site Scripting in Form Framework

[MEDIUM] Cross-Site Scripting in Fluid ViewHelpers

[MEDIUM] TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator & Query View

[HIGH] Insecure Deserialization in Query Generator & Query View