CVSS: 4.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-55892 – Potential Open Redirect via Parsing Differences in TYPO3
https://notcve.org/view.php?id=CVE-2024-55892
14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks. Users are advised to update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 LTS, 12.4.25 LTS, 13.4.3 which fix the problem described. There are no known workarounds for this vulnerabilit... • https://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-55893 – Cross-Site Request Forgery in Log Module in TYPO3
https://notcve.org/view.php?id=CVE-2024-55893
14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backen... • https://github.com/TYPO3/typo3/security/advisories/GHSA-cjfr-9f5r-3q93 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-749: Exposed Dangerous Method or Function •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-55894 – Cross-Site Request Forgery in Backend User Module in TYPO3
https://notcve.org/view.php?id=CVE-2024-55894
14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backen... • https://github.com/TYPO3/typo3/security/advisories/GHSA-6w4x-gcx3-8p7v • CWE-352: Cross-Site Request Forgery (CSRF) CWE-749: Exposed Dangerous Method or Function •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-55920 – Cross-Site Request Forgery in Dashboard Module in TYPO3
https://notcve.org/view.php?id=CVE-2024-55920
14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backen... • https://github.com/TYPO3/typo3/security/advisories/GHSA-qwx7-39pw-2mhr • CWE-352: Cross-Site Request Forgery (CSRF) CWE-749: Exposed Dangerous Method or Function •
CVSS: 7.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-55921 – Cross-Site Request Forgery in Extension Manager Module in TYPO3
https://notcve.org/view.php?id=CVE-2024-55921
14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backen... • https://github.com/TYPO3/typo3/security/advisories/GHSA-4g52-pq8j-6qv5 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-749: Exposed Dangerous Method or Function •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-55922 – Cross-Site Request Forgery in Form Framework Module in TYPO3
https://notcve.org/view.php?id=CVE-2024-55922
14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backen... • https://github.com/TYPO3/typo3/security/advisories/GHSA-ww7h-g2qf-7xv6 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-749: Exposed Dangerous Method or Function •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-55923 – Cross-Site Request Forgery in Indexed Search Module in TYPO3
https://notcve.org/view.php?id=CVE-2024-55923
14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backen... • https://github.com/TYPO3/typo3/security/advisories/GHSA-7r5q-4qgx-v545 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-749: Exposed Dangerous Method or Function •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55891 – Information Disclosure via Exception Handling/Logger in TYPO3
https://notcve.org/view.php?id=CVE-2024-55891
14 Jan 2025 — TYPO3 is a free and open source Content Management Framework. It has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect. Users are advised to update to TYPO3 versions 13.4.3 ELTS which fixes the problem described. There are no known workarounds for this vulnerability. • https://github.com/TYPO3/typo3/security/advisories/GHSA-38x7-cc6w-j27q • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 3.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-47780 – Information Disclosure in TYPO3 Page Tree
https://notcve.org/view.php?id=CVE-2024-47780
08 Oct 2024 — TYPO3 is a free and open source Content Management Framework. Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody." However, affected users could not manipulate these pages. Users are advised to update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. There are no known workarounds for this vulnerabi... • https://github.com/TYPO3/typo3/security/advisories/GHSA-rf5m-h8q9-9w6q • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-34358 – TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController
https://notcve.org/view.php?id=CVE-2024-34358
14 May 2024 — TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&... • https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-347: Improper Verification of Cryptographic Signature •