CVE-2021-32767 – Information Disclosure in User Authentication
https://notcve.org/view.php?id=CVE-2021-32767
TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3 versions 9.5.28, 10.4.18, 11.3.1 contain a patch for this vulnerability. TYPO3 es un sistema de administración de contenidos web de código abierto basado en PHP. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-34fr-fhqr-7235 https://typo3.org/security/advisory/typo3-core-sa-2021-012 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-32669 – Cross-Site Scripting in Backend Grid View
https://notcve.org/view.php?id=CVE-2021-32669
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this vulnerability. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-rgcg-28xm-8mmw https://typo3.org/security/advisory/typo3-core-sa-2021-011 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-32668 – Cross-Site Scripting in Query Generator & Query View
https://notcve.org/view.php?id=CVE-2021-32668
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When error messages are not properly encoded, the components _QueryGenerator_ and _QueryView_ are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-6mh3-j5r5-2379 https://typo3.org/security/advisory/typo3-core-sa-2021-010 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-32667 – Cross-Site Scripting in Page Preview
https://notcve.org/view.php?id=CVE-2021-32667
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue. • https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-8mq9-fqv8-59wf https://typo3.org/security/advisory/typo3-core-sa-2021-009 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •