CVSS: 6.1EPSS: 0%CPEs: 39EXPL: 0CVE-2012-2112
https://notcve.org/view.php?id=CVE-2012-2112
27 Aug 2012 — Cross-site scripting (XSS) vulnerability in the Exception Handler in TYPO3 4.4.x before 4.4.15, 4.5.x before 4.5.15, 4.6.x before 4.6.8, and 4.7 allows remote attackers to inject arbitrary web script or HTML via exception messages. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el controlador de excepciones en TYPO3 v4.4.x anterior a v4.4.15, v4.5.15 anterior a v4.5.x, v4.6.x anterior a v4.6.8, y v4.7, permite a atacantes remotos inyectar secuencias de comandos web o HTML ... • http://lists.typo3.org/pipermail/typo3-announce/2012/000241.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 5%CPEs: 30EXPL: 3CVE-2010-5099 – TYPO3 - Arbitrary File Retrieval
https://notcve.org/view.php?id=CVE-2010-5099
30 May 2012 — The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php. La funcionalidad fileDenyPattern en la API de protección de inclusión de archivos en TYP... • https://www.exploit-db.com/exploits/15856 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 14EXPL: 0CVE-2010-5097
https://notcve.org/view.php?id=CVE-2010-5097
21 May 2012 — Cross-site scripting (XSS) vulnerability in the click enlarge functionality in TYPO3 4.3.x before 4.3.9 and 4.4.x before 4.4.5 when the caching framework is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la funcionalidad "click enlarge" de TYPO3 4.3.x anteriores a 4.3.9 y 4.4.x anteriores a 4.4.5. Cuando la plataforma de caché está habilitada, permite a atacantes remotos inyectar codigo de ... • http://secunia.com/advisories/35770 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 32EXPL: 0CVE-2010-5098
https://notcve.org/view.php?id=CVE-2010-5098
21 May 2012 — Cross-site scripting (XSS) vulnerability in the FORM content object in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el objeto de contenido FORM de TYPO3 4.2.x before 4.2.16, 4.3.x anteriores a 4.3.9, y 4.4.x anteriores a 4.4.5. Permite a atacantes remotos inyectar codigo de script web o código HTML de vectores sin esp... • http://secunia.com/advisories/35770 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 32EXPL: 0CVE-2010-5100
https://notcve.org/view.php?id=CVE-2010-5100
21 May 2012 — Multiple cross-site scripting (XSS) vulnerabilities in the Install Tool in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Install Tool en TYPO3 v4.2.x anteriores a v4.2.16, v4.3.x anteriores a v4.3.9, y v4.4.x anteriores a v4.4.5, permite a atacantes remotos inyectar secuencias de comandos web o H... • http://secunia.com/advisories/35770 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 29EXPL: 0CVE-2010-5101
https://notcve.org/view.php?id=CVE-2010-5101
21 May 2012 — Directory traversal vulnerability in the TypoScript setup in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated administrators to read arbitrary files via unspecified vectors related to the "file inclusion functionality." Vulnerabilidad de salto de directorio en la configuración de TypoScript en TYPO3 v4.2.x y anteriores a v4.2.16, v4.3.x y anteriores a v4.3.9, y v4.4.x anteriores a v4.4.5. permite a administradores remotos autenticados leer ficheros arbitrario... • http://secunia.com/advisories/35770 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 29EXPL: 0CVE-2010-5102
https://notcve.org/view.php?id=CVE-2010-5102
21 May 2012 — Directory traversal vulnerability in mod/tools/em/class.em_unzip.php in the unzip library in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote attackers to write arbitrary files via unspecified vectors. Vulnerabilidad de salto de directorio enmod/tools/em/class.em_unzip.php en la librería unzip library en TYPO3 v4.2.x anteriores a v4.2.16, v4.3.x anteriores a v4.3.9, y v4.4.x anteriores a v4.4.5, permite a atacantes remotos escribir ficheros a través de parámetros no especi... • http://bugs.typo3.org/view.php?id=16362 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 29EXPL: 0CVE-2010-5103
https://notcve.org/view.php?id=CVE-2010-5103
21 May 2012 — SQL injection vulnerability in the list module in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de inyección SQL en el módulo de la lista en TYPO3 v4.2.x antes de v4.2.16, v4.3.x antes de v4.3.9 y v4.4.x antes de v4.4.5 permite ejecutar comandos SQL a usuarios remotos autenticados con determinados permisos a través de vectores no especificados. • http://secunia.com/advisories/35770 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 29EXPL: 0CVE-2010-5104
https://notcve.org/view.php?id=CVE-2010-5104
21 May 2012 — The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query. El método escapeStrForLike de TYPO3 4.2.x anteriores a 4.2.16, 4.3.x anteriores a 4.3.9, y 4.4.x anteriores a 4.4.5 no codifican los caracteres no permitidos ("escape") apropiadamente de la entrada cuando la base... • http://secunia.com/advisories/35770 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 33%CPEs: 26EXPL: 3CVE-2010-3714 – TYPO3 - Arbitrary File Retrieval
https://notcve.org/view.php?id=CVE-2010-3714
25 Oct 2010 — The jumpUrl (aka access tracking) implementation in tslib/class.tslib_fe.php in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors. La implementación de jumpUrl (también conocido como seguimiento de acceso) en tslib/class.tslib_fe.php en TYPO3 v4.2.x anteriores a v4.2.15, v4.3.x anteriores a v4.3.7, y v4.4.x anteriores a v4.4.4 no com... • https://packetstorm.news/files/id/180856 • CWE-264: Permissions, Privileges, and Access Controls •