CVSS: 4.8EPSS: 2%CPEs: 2EXPL: 2CVE-2018-6905
https://notcve.org/view.php?id=CVE-2018-6905
08 Apr 2018 — The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process. El módulo page en TYPO3, en versiones anteriores a la 8.7.11 y versiones 9.1.0,. tiene Cross-Site Scripting (XSS) mediante $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], tal y como queda demostrado con un administrador que introduce un nombre de sitio manipulado durante el proceso de instalación. • https://github.com/dnr6419/CVE-2018-6905 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 32EXPL: 0CVE-2010-3659
https://notcve.org/view.php?id=CVE-2010-3659
20 Oct 2017 — Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified parameters to unknown backend forms. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) en TYPO3 CMS en versiones 4.1.x anteriores a la 4.1.14, versiones 4.2.x anteriores a la 4.2.13, versiones 4.3.x anterior... • http://www.openwall.com/lists/oss-security/2010/09/28/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 2%CPEs: 19EXPL: 0CVE-2016-5091
https://notcve.org/view.php?id=CVE-2016-5091
23 Jan 2017 — Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action. Extbase en TYPO3 4.3.0 en versiones anteriores a 6.2.24, 7.x en versiones anteriores a 7.6.8 y 8.1.1 permite a atacantes remotos obtener información sensible o posiblemente ejecutar código arbitrario a través una acción Extbase manipulada. • http://www.openwall.com/lists/oss-security/2016/05/25/4 • CWE-254: 7PK - Security Features •
CVSS: 3.5EPSS: 0%CPEs: 48EXPL: 1CVE-2015-5956 – Typo3 CMS 6.2.14 / 4.5.40 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-5956
14 Sep 2015 — The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php. Vulnerabilidad en la función sanitizeLocalUrl en TYPO3 6.x en versiones anteriores a 6.2.15, 7.x en versiones anteriores a 7.4.0, 4.5.40 y versiones anteriores, per... • https://packetstorm.news/files/id/133551 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 92EXPL: 0CVE-2015-2047
https://notcve.org/view.php?id=CVE-2015-2047
23 Feb 2015 — The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value. La extensión rsaauth en TYPO3 4.3.0 hasta 4.3.14, 4.4.0 hasta 4.4.15, 4.5.0 hasta 4.5.39, y 4.6.0 hasta 4.6.18, cuando está configurado para el frontend, permite a atacantes remotos evadir la autenticación a través de una contraseña que está asignado a un v... • http://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html • CWE-287: Improper Authentication •
CVSS: 4.8EPSS: 0%CPEs: 186EXPL: 0CVE-2014-3945
https://notcve.org/view.php?id=CVE-2014-3945
03 Jun 2014 — The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash. El componente de autenticación en TYPO3 anterior a 6.2, cuando la creación de salts para el hash de contraseñas está deshabilitado, no requiere conocimiento de la contraseña en texto claro si se conoce... • http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001 • CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 5%CPEs: 30EXPL: 3CVE-2010-5099 – TYPO3 - Arbitrary File Retrieval
https://notcve.org/view.php?id=CVE-2010-5099
30 May 2012 — The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php. La funcionalidad fileDenyPattern en la API de protección de inclusión de archivos en TYP... • https://www.exploit-db.com/exploits/15856 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 14EXPL: 0CVE-2010-5097
https://notcve.org/view.php?id=CVE-2010-5097
21 May 2012 — Cross-site scripting (XSS) vulnerability in the click enlarge functionality in TYPO3 4.3.x before 4.3.9 and 4.4.x before 4.4.5 when the caching framework is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la funcionalidad "click enlarge" de TYPO3 4.3.x anteriores a 4.3.9 y 4.4.x anteriores a 4.4.5. Cuando la plataforma de caché está habilitada, permite a atacantes remotos inyectar codigo de ... • http://secunia.com/advisories/35770 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 32EXPL: 0CVE-2010-5098
https://notcve.org/view.php?id=CVE-2010-5098
21 May 2012 — Cross-site scripting (XSS) vulnerability in the FORM content object in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el objeto de contenido FORM de TYPO3 4.2.x before 4.2.16, 4.3.x anteriores a 4.3.9, y 4.4.x anteriores a 4.4.5. Permite a atacantes remotos inyectar codigo de script web o código HTML de vectores sin esp... • http://secunia.com/advisories/35770 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 32EXPL: 0CVE-2010-5100
https://notcve.org/view.php?id=CVE-2010-5100
21 May 2012 — Multiple cross-site scripting (XSS) vulnerabilities in the Install Tool in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Install Tool en TYPO3 v4.2.x anteriores a v4.2.16, v4.3.x anteriores a v4.3.9, y v4.4.x anteriores a v4.4.5, permite a atacantes remotos inyectar secuencias de comandos web o H... • http://secunia.com/advisories/35770 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •