CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2010-3660
https://notcve.org/view.php?id=CVE-2010-3660
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend. TYPO3 versiones anteriores a 4.1.14, versiones 4.2.x anteriores a 4.2.13, versiones 4.3.x anteriores a 4.3.4 y versiones 4.4.x anteriores a 4.4.1, permite un ataque de tipo XSS en el back-end. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719 https://security-tracker.debian.org/tracker/CVE-2010-3660 https://typo3.org/security/advisory/typo3-sa-2010-012/#XSS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-12748
https://notcve.org/view.php?id=CVE-2019-12748
TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. TYPO3 versiones 8.3.0 hasta 8.7.26 y versiones 9.0.0 hasta 9.5.7, permite un problema de tipo XSS. • https://typo3.org/security/advisory/typo3-core-sa-2019-015 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-12747
https://notcve.org/view.php?id=CVE-2019-12747
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. TYPO3 versiones 8.x hasta 8.7.26 y versiones 9.x hasta 9.5.7, permite la Deserialización de Datos No Seguros. • https://typo3.org/security/advisory/typo3-core-sa-2019-020 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11832
https://notcve.org/view.php?id=CVE-2019-11832
TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick. TYPO3, versiones 8.x anteriores a 8.7.25 y 9.x anteriores a 9.5.6, permite la ejecución remota de código porque no configura correctamente las aplicaciones utilizadas para el procesamiento de imágenes, como demuestran ImageMagick o GraphicsMagick. • http://www.securityfocus.com/bid/108305 https://typo3.org/security/advisory/typo3-core-sa-2019-012 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 1%CPEs: 11EXPL: 0CVE-2019-11831
https://notcve.org/view.php?id=CVE-2019-11831
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. El paquete PharStreamWrapper (también conocido como phar-stream-wrapper), versiones 2.x anteriores a 2.1.1 y 3.x anteriores a 3.1.1 para TYPO3, no impide el salto de directorio, lo que permite a los atacantes eludir un mecanismo de protección de deserialización, como lo demuestra una URL phar:///path/bad.phar/../good.phar. • http://www.securityfocus.com/bid/108302 https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1 https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1 https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH https://lists.fedoraproject. • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-502: Deserialization of Untrusted Data •