CVSS: 5.4EPSS: 0%CPEs: 32EXPL: 0CVE-2010-3659
https://notcve.org/view.php?id=CVE-2010-3659
Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified parameters to unknown backend forms. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) en TYPO3 CMS en versiones 4.1.x anteriores a la 4.1.14, versiones 4.2.x anteriores a la 4.2.13, versiones 4.3.x anteriores a la 4.3.4 y versiones 4.4.x anteriores a la 4.4.1 permite que usuarios remotos backend inyecten scripts web o HTML arbitrarios mediante parámetros sin especificar en el gestor de extensiones, o parámetros sin especificar en formularios de backend desconocidos. • http://www.openwall.com/lists/oss-security/2010/09/28/8 http://www.openwall.com/lists/oss-security/2014/02/12/8 http://www.securityfocus.com/bid/42029 https://security-tracker.debian.org/tracker/CVE-2010-3659 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-012 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 42EXPL: 1CVE-2017-14251
https://notcve.org/view.php?id=CVE-2017-14251
Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code. Una vulnerabilidad de subida de archivos sin restricciones en fileDenyPattern en sysext/core/Classes/Core/SystemEnvironmentBuilder.php en TYPO3 para las versiones 7.6.0 a 7.6.21 y 8.0.0 a 8.7.4 permite a los usuarios autenticados remotos subir archivos con una extensión .pht y, como consecuencia, ejecutar código PHP arbitrario. • http://blog.emaze.net/2017/12/typo3-unrestricted-file-upload-remote.html http://www.securityfocus.com/bid/100620 http://www.securitytracker.com/id/1039295 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2017-6370
https://notcve.org/view.php?id=CVE-2017-6370
TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields. TYPO3 7.6.15 envía una solicitud http a un index.php?loginProvider URI en casos con un httpsReferers, lo que permite a atacantes remotos obtener información de texto plano sensible husmeando la red y leyendo los campos userident y username. • http://www.securityfocus.com/bid/97071 https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.1EPSS: 0%CPEs: 32EXPL: 1CVE-2016-4056
https://notcve.org/view.php?id=CVE-2016-4056
Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers to inject arbitrary web script or HTML via the module parameter when creating a bookmark. Vulnerabilidad de XSS en el componente Backend en TYPO3 6.2.x en versiones anteriores a 6.2.19 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de el parámetro module cuando crea un marcador. • http://www.openwall.com/lists/oss-security/2016/04/21/1 https://labs.integrity.pt/advisories/cve-pending-stored-cross-site-scripting-in-typo3-bookmarks https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-006 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 3%CPEs: 19EXPL: 0CVE-2016-5091
https://notcve.org/view.php?id=CVE-2016-5091
Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action. Extbase en TYPO3 4.3.0 en versiones anteriores a 6.2.24, 7.x en versiones anteriores a 7.6.8 y 8.1.1 permite a atacantes remotos obtener información sensible o posiblemente ejecutar código arbitrario a través una acción Extbase manipulada. • http://www.openwall.com/lists/oss-security/2016/05/25/4 http://www.openwall.com/lists/oss-security/2016/05/26/2 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013 • CWE-254: 7PK - Security Features •