Page 3 of 517 results (0.003 seconds)

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backen... • https://github.com/TYPO3/typo3/security/advisories/GHSA-ww7h-g2qf-7xv6 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-749: Exposed Dangerous Method or Function •

CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0

14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backen... • https://github.com/TYPO3/typo3/security/advisories/GHSA-7r5q-4qgx-v545 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-749: Exposed Dangerous Method or Function •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0

14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backen... • https://github.com/TYPO3/typo3/security/advisories/GHSA-7835-fcv3-g256 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-749: Exposed Dangerous Method or Function •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backen... • https://github.com/TYPO3/typo3/security/advisories/GHSA-8mv3-37rc-pvxj • CWE-352: Cross-Site Request Forgery (CSRF) CWE-749: Exposed Dangerous Method or Function •

CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0

14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. It has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect. Users are advised to update to TYPO3 versions 13.4.3 ELTS which fixes the problem described. There are no known workarounds for this vulnerability. • https://github.com/TYPO3/typo3/security/advisories/GHSA-38x7-cc6w-j27q • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 3.1EPSS: 0%CPEs: 4EXPL: 0

08 Oct 2024 — TYPO3 is a free and open source Content Management Framework. Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody." However, affected users could not manipulate these pages. Users are advised to update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. There are no known workarounds for this vulnerabi... • https://github.com/TYPO3/typo3/security/advisories/GHSA-rf5m-h8q9-9w6q • CWE-863: Incorrect Authorization •

CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0

28 Aug 2024 — An issue was discovered in powermail extension through 12.3.5 for TYPO3. Several actions in the OutputController can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the Powermail Frontend plugins, an unauthenticated attacker can exploit this to edit, update, delete, or export data of persisted forms. This can only be exploited when the Powermail Frontend plugins are used. The fixed versions are 7.5.0, 8.5.0... • https://typo3.org/security/advisory/typo3-ext-sa-2024-006 • CWE-284: Improper Access Control •

CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0

28 Aug 2024 — An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which however is the default setting of the extension... • https://typo3.org/security/advisory/typo3-ext-sa-2024-006 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

21 Jun 2024 — An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users. • https://typo3.org/security/advisory/typo3-ext-sa-2024-003 • CWE-693: Protection Mechanism Failure •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

21 Jun 2024 — An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the captcha integration for the ext:form extension. Se descubrió un problema en la extensión amigablecaptcha_official (también conocida como Integración de Friendly Captcha) antes de la versión 0.1.4 para TYPO3. La extensión... • https://typo3.org/security/advisory/typo3-ext-sa-2024-004 • CWE-284: Improper Access Control •