Security Advisories - typo3/cms-backend

typo3/cms-backend Security Advisories (22)

[HIGH] TYPO3 CMS Stores Cleartext Password in User Settings Module

PKSA-j4dd-3nrn-j8w4 CVE-2026-6553 GHSA-xvv6-p4wf-mvx7

Affected version: =14.2.0

Reported by:
GitHub
[MEDIUM] TYPO3 CMS Allows Broken Access Control in Edit Document Controller

PKSA-54yn-xn5g-k3j9 CVE-2025-59020 GHSA-5j7q-wmh7-cqhg

Affected version: >=10.0.0,<=10.4.54|>=11.0.0,<=11.5.48|>=12.0.0,<=12.4.40|>=13.0.0,<=13.4.22|>=14.0.0,<=14.0.1

Reported by:
GitHub
[MEDIUM] TYPO3 CSV download feature information disclosure

PKSA-npmp-rd1w-2fyt CVE-2025-59019 GHSA-j8vm-7q52-2m2m

Affected version: >=13.0.0,<13.4.18|>=12.0.0,<12.4.37

Reported by:
GitHub
[MEDIUM] TYPO3 backend modules have Broken Access Control

PKSA-27mn-p368-8rxc CVE-2025-59017 GHSA-2fhw-2j7m-mr4m

Affected version: >=13.0.0,<13.4.18|>=12.0.0,<12.4.37|>=11.0.0,<11.5.48|>=10.0.0,<10.4.54|>=9.0.0,<9.5.55

Reported by:
GitHub
[MEDIUM] TYPO3 Bookmark Toolbar vulnerable to denial of service

PKSA-957f-x856-svyv CVE-2025-59014 GHSA-xrcq-533q-8rxw

Affected version: >=13.0.0,<13.4.18|>=12.0.0,<12.4.37|>=11.0.0,<11.5.48

Reported by:
GitHub
[HIGH] The TYPO3 CMS Backend has Broken Authentication in Backend MFA

PKSA-7w9w-389g-6rb9 CVE-2025-47941 GHSA-744g-7qm9-hjh9

Affected version: >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30

Reported by:
GitHub
[LOW] Denial of Service in TYPO3 Bookmark Toolbar

PKSA-9vjc-5m3y-9mrq CVE-2024-34537 GHSA-ffcv-v6pw-qhrp

Affected version: >=10.0.0,<=10.4.45|>=11.0.0,<=11.5.39|>=12.0.0,<12.4.20|=13.0.0

Reported by:
GitHub
[LOW] Information Disclosure in TYPO3 Page Tree

PKSA-4w8t-ddwx-n1z6 CVE-2024-47780 GHSA-rf5m-h8q9-9w6q

Affected version: >=10.0.0,<10.4.46|>=11.0.0,<11.5.40|>=12.0.0,<12.4.21|>=13.0.0,<13.3.1

Reported by:
GitHub
[MEDIUM] TYPO3 cross-site scripting (XSS) vulnerability in the RemoveXSS function and the backend

PKSA-ypts-nf6x-sc9n CVE-2010-3715 GHSA-mwqv-jff6-5v62

Affected version: >=4.4.0,<4.4.4|>=4.3.0,<4.3.7|>=4.2.0,<4.2.15

Reported by:
GitHub
[MEDIUM] TYPO3 Cross-site Scripting vulnerability in the file backend module

PKSA-18bs-jt2v-9q3z CVE-2008-5644 GHSA-733v-22mg-7f8w

Affected version: =4.2.2

Reported by:
GitHub
[MEDIUM] TYPO3 Cross-site Scripting vulnerability in the extension manager and backend forms

PKSA-qdd3-3rc5-3tx5 CVE-2010-3659 GHSA-jr79-65xr-q7cx

Affected version: >=4.4.0,<4.4.1|>=4.3.0,<4.3.4|>=4.2.0,<4.2.13|>=4.1.0,<4.1.14

Reported by:
GitHub
[HIGH] TYPO3 Backend Command Injection via Shell Metacharacters in Uploaded File Name

PKSA-3bnf-9x8r-4r22 CVE-2009-3631 GHSA-3cqw-pxgr-jhrm

Affected version: >=4.3alpha1,<4.3beta2|>=4.2.0,<4.2.10|>=4.1.0,<4.1.13|<=4.0.13

Reported by:
GitHub
[MEDIUM] TYPO3 Backend vulnerable to Frame Hijacking

PKSA-r321-b6qr-5765 CVE-2009-3630 GHSA-mg66-3x8x-r8g2

Affected version: >=4.3alpha1,<4.3beta2|>=4.2.0,<4.2.10|>=4.1.0,<4.1.13|<=4.0.13

Reported by:
GitHub
[LOW] TYPO3 Backend vulnerable to Cross-site Scripting

PKSA-c538-ny6f-p2pv CVE-2009-3629 GHSA-g857-p997-wx7w

Affected version: >=4.3alpha1,<4.3beta2|>=4.2.0,<4.2.10|>=4.1.0,<4.1.13|<=4.0.13

Reported by:
GitHub
[MEDIUM] TYPO3 Backend Discloses Encryption Key

PKSA-vv6f-n44y-t8cy CVE-2009-3628 GHSA-2wgg-c8xc-7gg3

Affected version: >=4.3alpha1,<4.3beta2|>=4.2.0,<4.2.10|>=4.1.0,<4.1.13|<=4.0.13

Reported by:
GitHub
[MEDIUM] TYPO3 is vulnerable to Information Disclosure on the backend

PKSA-c47t-v87h-d37b CVE-2010-3664 GHSA-8xp9-99h5-4vcg

Affected version: >=4.4.0,<4.4.1|>=4.3.0,<4.3.4|>=4.2.0,<4.2.13|<4.1.14

Reported by:
GitHub
[HIGH] TYPO3 Arbitrary Code Execution vulnerability on the backend

PKSA-5fpw-kmny-hhxn CVE-2010-3663 GHSA-wjpc-gjf7-9938

Affected version: >=4.4,<4.4.1|>=4.3,<4.3.4|>=4.2,<4.2.13|<4.1.14

Reported by:
GitHub
[HIGH] TYPO3 SQL injection vulnerability on the backend

PKSA-hfpc-9g5j-tf25 CVE-2010-3662 GHSA-4rvc-5hrh-qmwf

Affected version: >=4.4.0,<4.4.1|>=4.3.0,<4.3.4|>=4.2.0,<4.2.13|<4.1.14

Reported by:
GitHub
[MEDIUM] TYPO3 Open Redirection vulnerability on the backend

PKSA-psh3-1wf1-n6vp CVE-2010-3661 GHSA-j628-384g-rmgc

Affected version: >=4.4.0,<4.4.1|>=4.3.0,<4.3.4|>=4.2.0,<4.2.13|<4.1.14

Reported by:
GitHub
[MEDIUM] TYPO3 is vulnerable to Cross-Site Scripting (XSS) on the backend

PKSA-73gs-whnx-t29w CVE-2010-3660 GHSA-cg45-qgcf-hf9x

Affected version: >=4.4.0,<4.4.1|>=4.3.0,<4.3.4|>=4.2.0,<4.2.13|<4.1.14

Reported by:
GitHub
[MEDIUM] Cross-Site Scripting in Content Preview (CType menu)

PKSA-t94y-b11s-1rg9 CVE-2021-21370 GHSA-x7hc-x7fm-f7qh

Affected version: >=11.0.0,<=11.1.0|>=10.0.0,<=10.4.13|>=9.0.0,<=9.5.24|>=8.0.0,<=8.7.39|>=7.0.0,<=7.6.50

Reported by:
GitHub
[MEDIUM] Cross-Site Scripting in Content Preview

PKSA-n961-k227-s276 CVE-2021-21340 GHSA-fjh3-g8gq-9q92

Affected version: >=11.0.0,<=11.1.0|>=10.0.0,<=10.4.13

Reported by:
GitHub

typo3/cms-backend Security Advisories (22)

[HIGH] TYPO3 CMS Stores Cleartext Password in User Settings Module

[MEDIUM] TYPO3 CMS Allows Broken Access Control in Edit Document Controller

[MEDIUM] TYPO3 CSV download feature information disclosure

[MEDIUM] TYPO3 backend modules have Broken Access Control

[MEDIUM] TYPO3 Bookmark Toolbar vulnerable to denial of service

[HIGH] The TYPO3 CMS Backend has Broken Authentication in Backend MFA

[LOW] Denial of Service in TYPO3 Bookmark Toolbar

[LOW] Information Disclosure in TYPO3 Page Tree

[MEDIUM] TYPO3 cross-site scripting (XSS) vulnerability in the RemoveXSS function and the backend

[MEDIUM] TYPO3 Cross-site Scripting vulnerability in the file backend module

[MEDIUM] TYPO3 Cross-site Scripting vulnerability in the extension manager and backend forms

[HIGH] TYPO3 Backend Command Injection via Shell Metacharacters in Uploaded File Name

[MEDIUM] TYPO3 Backend vulnerable to Frame Hijacking

[LOW] TYPO3 Backend vulnerable to Cross-site Scripting

[MEDIUM] TYPO3 Backend Discloses Encryption Key

[MEDIUM] TYPO3 is vulnerable to Information Disclosure on the backend

[HIGH] TYPO3 Arbitrary Code Execution vulnerability on the backend

[HIGH] TYPO3 SQL injection vulnerability on the backend

[MEDIUM] TYPO3 Open Redirection vulnerability on the backend

[MEDIUM] TYPO3 is vulnerable to Cross-Site Scripting (XSS) on the backend

[MEDIUM] Cross-Site Scripting in Content Preview (CType menu)

[MEDIUM] Cross-Site Scripting in Content Preview