typo3/cms-core Security Advisories for v10.4.22 (28)
-
[MEDIUM] TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController
PKSA-tm11-834c-1wbq CVE-2024-34358 GHSA-36g8-62qv-5957
Affected version: >=13.0.0,<=13.1.0|>=12.0.0,<=12.4.14|>=11.0.0,<=11.5.36|>=10.0.0,<=10.4.44|>=9.0.0,<=9.5.47
Reported by:
GitHub -
[MEDIUM] TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController
PKSA-443h-dk5w-qm2g CVE-2024-34357 GHSA-hw6c-6gwq-3m3m
Affected version: >=13.0.0,<=13.1.0|>=12.0.0,<=12.4.14|>=11.0.0,<=11.5.36|>=10.0.0,<=10.4.44|>=9.0.0,<=9.5.47
Reported by:
GitHub -
[MEDIUM] TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module
PKSA-8vkj-4d3h-x586 CVE-2024-34356 GHSA-v6mw-h7w6-59w3
Affected version: >=13.0.0,<=13.1.0|>=12.0.0,<=12.4.14|>=11.0.0,<=11.5.36|>=10.0.0,<=10.4.44|>=9.0.0,<=9.5.47
Reported by:
GitHub -
[HIGH] TYPO3 Install Tool vulnerable to Code Execution
PKSA-prgj-sgzn-q6cs CVE-2024-22188 GHSA-5w2h-59j3-8x5w
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[MEDIUM] Path Traversal in TYPO3 File Abstraction Layer Storages
PKSA-zz7z-6zsy-d2hc CVE-2023-30451 GHSA-w6x2-jg8h-p6mp
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[HIGH] TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler
PKSA-99mg-htb6-c272 CVE-2024-25121 GHSA-rj3x-wvc6-5j66
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[MEDIUM] TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme
PKSA-h5xk-8nxx-znp4 CVE-2024-25120 GHSA-wf85-8hx9-gj7c
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[MEDIUM] TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key
PKSA-d551-hdqh-5mmf CVE-2024-25119 GHSA-h47m-3f78-qp9g
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[MEDIUM] TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords
PKSA-jbhx-knzt-5y6m CVE-2024-25118 GHSA-38r2-5695-334w
Affected version: =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Reported by:
GitHub -
[MEDIUM] TYPO3-CORE-SA-2023-006: Weak Authentication in Session Handling
PKSA-jp7z-h3vv-yr4s CVE-2023-47127 GHSA-3vmm-7h4j-69rm
Affected version: >=8.0.0,<8.7.55|>=9.0.0,<9.5.44|>=10.0.0,<10.4.41|>=11.0.0,<11.5.33|>=12.0.0,<12.4.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] Information Disclosure due to Out-of-scope Site Resolution
PKSA-83hy-ynvj-7pfq CVE-2023-38499 GHSA-jq6g-4v5m-wm9r
Affected version: >=12.0.0,<12.4.4|>=11.0.0,<11.5.30|>=10.0.0,<10.4.39|>=9.4.0,<9.5.42
Reported by:
GitHub -
[HIGH] TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering
PKSA-vxw7-bfmg-pz5q CVE-2023-24814 GHSA-r4f8-f93x-5qh3
Affected version: >=10.0.0,<10.4.35|>=11.0.0,<11.5.23|>=12.0.0,<12.2.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer
PKSA-qbn4-sj3q-rvvx CVE-2022-23499
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration
PKSA-pdn3-qb24-bkw6 CVE-2022-23504 GHSA-8w3p-qh3x-6gjr
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework
PKSA-ccxj-fgkz-pynv CVE-2022-23503 GHSA-c5wx-6c2c-f7rm
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset
PKSA-3p3s-8w1v-x6b3 CVE-2022-23502 GHSA-mgj2-q8wp-29rr
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login
PKSA-hf6f-qcwd-7279 CVE-2022-23501 GHSA-jfp7-79g7-89rf
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20|>=12.0.0,<12.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling
PKSA-j3x1-dtrb-kbct CVE-2022-23500 GHSA-8c28-5mp7-v24h
Affected version: >=10.0.0,<10.4.33|>=11.0.0,<11.5.20
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-011: By-passing Cross-Site Scripting Protection in HTML Sanitizer
PKSA-rwrz-v1bh-34yt CVE-2022-36020 GHSA-47m6-46mj-p235
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-010: Cross-Site Scripting in <f:asset.css> view helper
PKSA-wjjh-fbmt-t55w CVE-2022-36108 GHSA-fv2m-9249-qx85
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-009: Stored Cross-Site Scripting via FileDumpController
PKSA-wkgp-n44t-r1jh CVE-2022-36107 GHSA-9c6w-55cp-5w25
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-008: Missing check for expiration time of password reset token for backend users
PKSA-v1kb-vbr1-8fy1 CVE-2022-36106 GHSA-5959-4x58-r8c2
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-007: User Enumeration via Response Timing
PKSA-d4cy-7k8v-3wtm CVE-2022-36105 GHSA-m392-235j-9r7r
Affected version: >=10.0.0,<10.4.32|>=11.0.0,<11.5.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool
PKSA-dnvg-71td-yz19 CVE-2022-31050 GHSA-wwjw-r3gj-39fq
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-004: Cross-Site Scripting in Frontend Login Mailer
PKSA-4kgv-d12j-68gk CVE-2022-31049 GHSA-h4mx-xv96-2jgm
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-003: Cross-Site Scripting in Form Framework
PKSA-dh2h-m334-x2dj CVE-2022-31048 GHSA-3r95-23jp-mhvg
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-002: Information Disclosure via Exception Handling/Logger
PKSA-sy4v-bxfk-mjjn CVE-2022-31047 GHSA-fh99-4pgr-8j99
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2022-001: Information Disclosure via Export Module
PKSA-1f5c-bp4y-tqft CVE-2022-31046 GHSA-8gmv-9hwg-w89g
Affected version: >=10.0.0,<10.4.29|>=11.0.0,<11.5.11
Reported by:
GitHub, FriendsOfPHP/security-advisories