CVSS: 8.8EPSS: 0%CPEs: 42EXPL: 1CVE-2017-14251
https://notcve.org/view.php?id=CVE-2017-14251
Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code. Una vulnerabilidad de subida de archivos sin restricciones en fileDenyPattern en sysext/core/Classes/Core/SystemEnvironmentBuilder.php en TYPO3 para las versiones 7.6.0 a 7.6.21 y 8.0.0 a 8.7.4 permite a los usuarios autenticados remotos subir archivos con una extensión .pht y, como consecuencia, ejecutar código PHP arbitrario. • http://blog.emaze.net/2017/12/typo3-unrestricted-file-upload-remote.html http://www.securityfocus.com/bid/100620 http://www.securitytracker.com/id/1039295 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 3%CPEs: 19EXPL: 0CVE-2016-5091
https://notcve.org/view.php?id=CVE-2016-5091
Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action. Extbase en TYPO3 4.3.0 en versiones anteriores a 6.2.24, 7.x en versiones anteriores a 7.6.8 y 8.1.1 permite a atacantes remotos obtener información sensible o posiblemente ejecutar código arbitrario a través una acción Extbase manipulada. • http://www.openwall.com/lists/oss-security/2016/05/25/4 http://www.openwall.com/lists/oss-security/2016/05/26/2 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013 • CWE-254: 7PK - Security Features •
CVSS: 5.4EPSS: 0%CPEs: 39EXPL: 0CVE-2015-8755
https://notcve.org/view.php?id=CVE-2015-8755
Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors. Múltiples vulnerabilidades de XSS en componentes del backend no especificados en TYPO3 6.2.x en versiones anteriores a 6.2.16 y 7.x en versiones anteriores a 7.6.1 permiten a editores remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de vectores desconocidos. • http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-011 http://www.securityfocus.com/bid/79236 http://www.securitytracker.com/id/1034483 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 39EXPL: 0CVE-2015-8759
https://notcve.org/view.php?id=CVE-2015-8759
Cross-site scripting (XSS) vulnerability in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote authenticated editors to inject arbitrary web script or HTML via a link field. Vulnerabilidad de XSS en la función typoLink en TYPO3 6.2.x en versiones anteriores a 6.2.16 y 7.x en versiones anteriores a 7.6.1 permiten a editores remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un campo link. • http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012 http://www.securityfocus.com/bid/79250 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 39EXPL: 0CVE-2015-8758
https://notcve.org/view.php?id=CVE-2015-8758
Multiple cross-site scripting (XSS) vulnerabilities in unspecified frontend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors. Múltiples vulnerabilidades de XSS en componentes anticipados no especificados en TYPO3 6.2.x en versiones anteriores a 6.2.16 y 7.x en versiones anteriores a 7.6.1 permiten a editores remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de vectores desconocidos. • http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013 http://www.securityfocus.com/bid/79240 http://www.securitytracker.com/id/1034484 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •