typo3/cms Security Advisories for v10.2.1 (41)
-
[HIGH] TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering
PKSA-2dds-jbmg-2pyg CVE-2023-24814 GHSA-r4f8-f93x-5qh3
Affected version: >=10.0.0,<10.4.35|>=11.0.0,<11.5.23|>=12.0.0,<12.2.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer
PKSA-836z-82j1-zt6j CVE-2022-23499 GHSA-hvwx-qh2h-xcfj
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration
PKSA-72zd-w89p-dd55 CVE-2022-23504 GHSA-8w3p-qh3x-6gjr
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework
PKSA-hnp1-st4h-rkt2 CVE-2022-23503 GHSA-c5wx-6c2c-f7rm
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset
PKSA-cm5x-bvw7-z1ks CVE-2022-23502 GHSA-mgj2-q8wp-29rr
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login
PKSA-sy8t-czj6-2rjr CVE-2022-23501 GHSA-jfp7-79g7-89rf
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling
PKSA-wh51-qtyw-9mq5 CVE-2022-23500 GHSA-8c28-5mp7-v24h
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-011: By-passing Cross-Site Scripting Protection in HTML Sanitizer
PKSA-hkkc-nfmp-dqpt CVE-2022-36020 GHSA-47m6-46mj-p235
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-010: Cross-Site Scripting in <f:asset.css> view helper
PKSA-5bjw-symk-fz45 CVE-2022-36108 GHSA-fv2m-9249-qx85
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-009: Stored Cross-Site Scripting via FileDumpController
PKSA-w21x-17n7-44qc CVE-2022-36107 GHSA-9c6w-55cp-5w25
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-008: Missing check for expiration time of password reset token for backend users
PKSA-z12b-qvn6-4p12 CVE-2022-36106 GHSA-5959-4x58-r8c2
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-007: User Enumeration via Response Timing
PKSA-rrh7-bw6s-dw97 CVE-2022-36105 GHSA-m392-235j-9r7r
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool
PKSA-2hf7-8md4-q2c6 CVE-2022-31050 GHSA-wwjw-r3gj-39fq
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-004: Cross-Site Scripting in Frontend Login Mailer
PKSA-jm7x-1zf6-9kw1 CVE-2022-31049 GHSA-h4mx-xv96-2jgm
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-003: Cross-Site Scripting in Form Framework
PKSA-tycc-kzzh-s3ry CVE-2022-31048 GHSA-3r95-23jp-mhvg
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-002: Information Disclosure via Exception Handling/Logger
PKSA-jbmh-6415-zvcd CVE-2022-31047 GHSA-fh99-4pgr-8j99
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-001: Information Disclosure via Export Module
PKSA-v8mc-t224-q36f CVE-2022-31046 GHSA-8gmv-9hwg-w89g
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-013: Cross-Site Scripting via Rich-Text Content
PKSA-f5pt-5p3j-9w13 CVE-2021-32768 GHSA-c5c9-8c6m-727v
Affected version: >=10.0.0,<10.4.19|>=11.0.0,<11.3.2|>=9.0.0,<9.5.29
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-012: Information Disclosure in User Authentication
PKSA-166g-yc33-swnp CVE-2021-32767 GHSA-34fr-fhqr-7235
Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-011: Cross-Site Scripting in Backend Grid View
PKSA-z4fg-75ns-v363 CVE-2021-32669 GHSA-rgcg-28xm-8mmw
Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator & Query View
PKSA-vhss-cbdf-h9zf CVE-2021-32668 GHSA-6mh3-j5r5-2379
Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-009: Cross-Site Scripting in Page Preview
PKSA-wk8d-zxk8-8xqc CVE-2021-32667 GHSA-8mq9-fqv8-59wf
Affected version: >=10.0.0,<10.4.18|>=11.0.0,<11.3.1|>=9.0.0,<9.5.28
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-007: Cross-Site Scripting in Content Preview
PKSA-3cnr-vxft-4f7f CVE-2021-21340 GHSA-fjh3-g8gq-9q92
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-004: Cross-Site Scripting in Form Framework
PKSA-mzcd-fpv2-vf7h CVE-2021-21358 GHSA-x79j-wgqv-g8h2
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-008: Cross-Site Scripting in Content Preview
PKSA-txbn-cfcc-9zgj CVE-2021-21370 GHSA-x7hc-x7fm-f7qh
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-006: Cleartext storage of session identifier
PKSA-6rj9-2kkd-njb3 CVE-2021-21339 GHSA-qx3w-4864-94ch
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-005: Denial of Service in Page Error Handling
PKSA-g918-9bjy-w911 CVE-2021-21359 GHSA-4p9g-qgx9-397p
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2021-003: Broken Access Control in Form Framework
PKSA-wd9s-13sq-wnby CVE-2021-21357 GHSA-3vg7-jw9m-pc3f
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2021-002: Unrestricted File Upload in Form Framework
PKSA-3jwm-rpgc-y2bh CVE-2021-21355 GHSA-2r6j-862c-m2v2
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2021-001: Open Redirection in Login Handling
PKSA-4pvk-bqg1-qyqj CVE-2021-21338 GHSA-4jhw-2p6j-5wmp
Affected version: >=10.0.0,<10.4.14|>=11.0.0,<11.1.1|>=9.0.0,<9.5.25
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] TYPO3-CORE-SA-2020-012: XML External Entity in Dashboard Widget
PKSA-6tyw-2n11-ssbd CVE-2020-26229 GHSA-q9cp-mc96-m4w2
Affected version: >=10.0.0,<10.4.10
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-011: Cleartext storage of session identifier
PKSA-tb1c-8bnf-mvmf CVE-2020-26228 GHSA-954j-f27r-cj52
Affected version: >=10.0.0,<10.4.10|>=9.0.0,<9.5.23|>=8.7.0,<8.7.38
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2020-010: Cross-Site Scripting in Fluid view helpers
PKSA-7sv8-gd3z-zptc CVE-2020-26227 GHSA-vqqx-jw6p-q3rf
Affected version: >=10.0.0,<10.4.10|>=9.0.0,<9.5.23|>=8.7.0,<8.7.38
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure
PKSA-89kh-571y-53vr CVE-2020-15098 GHSA-m5vr-3m74-jwxp
Affected version: >=10.0.0,<10.4.6|>=9.0.0,<9.5.20
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-007: Potential Privilege Escalation
PKSA-bvhz-zjdr-rz23 CVE-2020-15099 GHSA-3x94-fv5h-5q2c
Affected version: >=10.0.0,<10.4.6|>=9.0.0,<9.5.20
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset
PKSA-f4bv-c86k-p2bf CVE-2020-11063 GHSA-347x-877p-hcwx
Affected version: >=10.0.0,<10.4.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface
PKSA-vncq-mbcp-6vyd CVE-2020-11069 GHSA-pqg8-crx9-g8m4
Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings
PKSA-dxxk-hc9h-1z3f CVE-2020-11067 GHSA-2wj9-434x-9hvp
Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized
PKSA-ss2r-276b-st5d CVE-2020-11066 GHSA-2rxh-h6h9-qrqc
Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling
PKSA-fzgc-n67f-tpd3 CVE-2020-11065 GHSA-4j77-gg36-9864
Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine
PKSA-fpbs-1vv7-3m1y CVE-2020-11064 GHSA-43gj-mj2w-wh46
Affected version: >=10.0.0,<10.4.2|>=9.0.0,<9.5.17
Reported by:
GitHub, FriendsOfPHP/security-advisories