Page 30 of 153 results (0.016 seconds)

CVSS: 4.3EPSS: 0%CPEs: 17EXPL: 0

Cross-site scripting (XSS) vulnerability in fe_adminlib.inc in TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, as used in extensions such as (1) direct_mail_subscription, (2) feuser_admin, and (3) kb_md5fepw, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en fe_adminlib.inc de TYPO3 4.0.x antes de 4.0.9, 4.1.x antes de 4.1.7 y 4.2.x antes de 4.2.1, del modo que se utiliza en extensiones como (1) direct_mail_subscription, (2) feuser_admin y (3) kb_md5fepw, permite a atacantes remotos inyectar scripts web o HTMl de su elección mediante vectores no especificados. • http://secunia.com/advisories/30619 http://secunia.com/advisories/30660 http://securityreason.com/securityalert/3945 http://typo3.org/teams/security/security-bulletins/typo3-20080611-1 http://www.debian.org/security/2008/dsa-1596 http://www.securityfocus.com/archive/1/493270/100/0/threaded http://www.securityfocus.com/bid/29657 http://www.vupen.com/english/advisories/2008/1802 https://exchange.xforce.ibmcloud.com/vulnerabilities/42986 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 18EXPL: 0

TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions. TYPO3 versiones 4.0.x anteriores a 4.0.9, versiones 4.1.x anteriores a 4.1.7, y versiones 4.2.x anteriores a 4.2.1, utiliza un fileDenyPattern predeterminado insuficientemente restrictivo para Apache, que permite a los atacantes remotos omitir las restricciones de seguridad y cargar archivos de configuración como .htaccess, o conducir ataques de carga de archivos mediante varias extensiones. • http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern http://secunia.com/advisories/30619 http://secunia.com/advisories/30660 http://securityreason.com/securityalert/3945 http://typo3.org/teams/security/security-bulletins/typo3-20080611-1 http://www.debian.org/security/2008/dsa-1596 http://www.securityfocus.com/archive/1/493270/100/0/threaded http://www.securityfocus.com/bid/29657 http://www.vupen.com/english/advisories/2008/1802 https:/ • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.5EPSS: 0%CPEs: 18EXPL: 0

SQL injection vulnerability in the indexed_search system extension in TYPO3 3.x, 4.0 through 4.0.7, and 4.1 through 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en la extensión del sistema indexed_search, en TYPO3 3.x, 4.0 hasta 4.0.7, y 4.1 hasta 4.1.3. Permite que usuarios autenticados remotamente ejecuten, a su elección, comandos SQL usando vectores sin especificar. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457446 http://osvdb.org/39506 http://secunia.com/advisories/27969 http://secunia.com/advisories/28243 http://securitytracker.com/id?1019146 http://typo3.org/teams/security/security-bulletins/typo3-20071210-1 http://www.debian.org/security/2007/dsa-1439 http://www.securityfocus.com/bid/26871 http://www.vupen.com/english/advisories/2007/4205 https://exchange.xforce.ibmcloud.com/vulnerabilities/39017 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

The start function in class.t3lib_formmail.php in TYPO3 before 4.0.5, 4.1beta, and 4.1RC1 allows attackers to inject arbitrary email headers via unknown vectors. NOTE: some details were obtained from third party information. La función start en class.t3lib_formmail.php en TYPO3 anterior a 4.0.5, 4.1beta, y 4.1RC1 permite a atacantes remotos inyectar cabeceras email de su elección a través de vectores desconocidos. NOTA: Algunos de estos detalles se obtuvieron de información de terceros. • http://osvdb.org/33471 http://secunia.com/advisories/24207 http://typo3.org/teams/security/security-bulletins/typo3-20070221-1 http://www.securityfocus.com/bid/22668 http://www.vupen.com/english/advisories/2007/0697 https://exchange.xforce.ibmcloud.com/vulnerabilities/32630 •

CVSS: 7.5EPSS: 4%CPEs: 6EXPL: 4

rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php in Typo3 4.0.0 through 4.0.3, 3.7 and 3.8 with the rtehtmlarea extension, and 4.1 beta allows remote authenticated users to execute arbitrary commands via shell metacharacters in the userUid parameter to rtehtmlarea/htmlarea/plugins/SpellChecker/spell-check-logic.php, and possibly another vector. rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php en Typo3 4.0.0 hasta 4.0.3, 3.7 y 3.8 con la extensión rtehtmlarea, y 4.1 beta, permite a atacantes remotos autenticados ejecutar comandos de su elección mediante metacaracteres del intérprete de comandos (shell) a través del parámetro userUid en rtehtmlarea/htmlarea/plugins/SpellChecker/spell-check-logic.php, y posiblemente otro vector. • https://www.exploit-db.com/exploits/29300 http://lists.netfielders.de/pipermail/typo3-announce/2006/000045.html http://lists.netfielders.de/pipermail/typo3-announce/2006/000046.html http://secunia.com/advisories/23446 http://secunia.com/advisories/23466 http://securityreason.com/securityalert/2056 http://securitytracker.com/id?1017428 http://typo3.org/news-single-view/?tx_newsimporter_pi1%5BshowItem%5D=0&cHash=e4a40a11a9 http://www.sec-consult.com/272.html http://www.securityfocus.com&#x •