CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-31046 – Information Disclosure via Export Module in TYPO3 CMS
https://notcve.org/view.php?id=CVE-2022-31046
TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can export internal details of database tables they already have access to. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 fix the problem described above. In order to address this issue, access to mentioned export functionality is completely denied for regular backend users. • https://github.com/TYPO3/typo3/commit/7447a3d1283017d2ee08737a7972c720001a93e9 https://github.com/TYPO3/typo3/security/advisories/GHSA-8gmv-9hwg-w89g https://typo3.org/security/advisory/typo3-core-sa-2022-001 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-31047 – Insertion of Sensitive Information into Log File in typo3/cms-core
https://notcve.org/view.php?id=CVE-2022-31047
TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, system internal credentials or keys (e.g. database credentials) can be logged as plaintext in exception handlers, when logging the complete exception stack trace. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 contain a fix for the problem. TYPO3 es un sistema de administración de contenidos web de código abierto. En versiones anteriores a 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29 y 11.5.11, las credenciales o claves internas del sistema (por ejemplo, las credenciales de la base de datos) podían registrarse como texto plano en los manejadores de excepciones, cuando es registrado el seguimiento completo de la pila de excepciones. • https://github.com/TYPO3/typo3/commit/c93ea692e7dfef03b7c50fe5437487545bee4d6a https://github.com/TYPO3/typo3/security/advisories/GHSA-fh99-4pgr-8j99 https://typo3.org/security/advisory/typo3-core-sa-2022-002 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2021-32768 – Cross-Site Scripting via Rich-Text Content
https://notcve.org/view.php?id=CVE-2021-32768
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-c5c9-8c6m-727v https://typo3.org/security/advisory/typo3-core-sa-2021-013 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-32767 – Information Disclosure in User Authentication
https://notcve.org/view.php?id=CVE-2021-32767
TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3 versions 9.5.28, 10.4.18, 11.3.1 contain a patch for this vulnerability. TYPO3 es un sistema de administración de contenidos web de código abierto basado en PHP. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-34fr-fhqr-7235 https://typo3.org/security/advisory/typo3-core-sa-2021-012 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2021-32669 – Cross-Site Scripting in Backend Grid View
https://notcve.org/view.php?id=CVE-2021-32669
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this vulnerability. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-rgcg-28xm-8mmw https://typo3.org/security/advisory/typo3-core-sa-2021-011 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •