Search Results (554 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-46724 1 Typo3 1 Extension "faceted Search" 2026-05-20 N/A
The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.
CVE-2026-8827 1 Typo3 1 Extension "address List" 2026-05-20 N/A
The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.
CVE-2026-46725 1 Typo3 1 Extension "content Element Selector" 2026-05-20 N/A
The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
CVE-2026-6553 1 Typo3 1 Typo3 2026-05-05 7.5 High
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
CVE-2026-4208 2 Mrsilaz, Typo3 2 Mfa Mail, Extension "e-mail Mfa Provider" 2026-04-25 8.8 High
The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.
CVE-2026-4202 2 Ayacoo, Typo3 2 Redirect Tab, Extension "redirect Tabs" 2026-04-25 4.3 Medium
The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.
CVE-2026-1323 2 Cps-it, Typo3 2 Mailqueue, Extension "mailqueue" 2026-04-25 8.8 High
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].
CVE-2009-4166 2 Michal Hadr, Typo3 2 Mchtrips, Typo3 2026-04-23 N/A
SQL injection vulnerability in the Trips (mchtrips) extension 2.0.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2009-0255 2 Debian, Typo3 2 Debian Linux, Typo3 2026-04-23 7.5 High
The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key.
CVE-2009-4394 2 Fr.simon Rundell, Typo3 2 Ste Prayer2, Typo3 2026-04-23 N/A
SQL injection vulnerability in the Random Prayer 2 (ste_prayer2) extension 0.0.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-5801 1 Typo3 1 Dictionary Extension 2026-04-23 N/A
Unspecified vulnerability in the Dictionary (rtgdictionary) extension 0.1.9 and earlier for TYPO3 allows attackers to execute arbitrary code via unknown vectors.
CVE-2008-5800 1 Typo3 2 Fsmi People, Wir Ber Uns Extension 2026-04-23 N/A
SQL injection vulnerability in the Wir ber uns [sic] (fsmi_people) extension 0.0.24 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2009-1264 2 Stanislas Rolland, Typo3 2 Sr Feuser Register, Typo3 2026-04-23 N/A
Frontend User Registration (sr_feuser_register) extension 2.5.20 and earlier for TYPO3 does not properly verify access rights, which allows remote authenticated users to obtain sensitive information such as passwords via unknown attack vectors.
CVE-2009-4399 2 Fr.simon Rundell, Typo3 2 Hs Religiousartgallery, Typo3 2026-04-23 N/A
SQL injection vulnerability in the Parish of the Holy Spirit Religious Art Gallery (hs_religiousartgallery) extension 0.1.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-5799 1 Typo3 2 Typo3, Wir Ber Uns Extension 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in the Wir ber uns (fsmi_people) extension 0.0.24 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-5798 1 Typo3 2 Cms Poll System Extension, Typo3 2026-04-23 N/A
SQL injection vulnerability in the CMS Poll system (cms_poll) extension before 0.1.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4661 1 Typo3 2 Page Improvements, Typo3 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in the Page Improvements (sm_pageimprovements) 1.1.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-3053 1 Typo3 1 Sql Frontend Extension 2026-04-23 N/A
SQL injection vulnerability in the SQL Frontend (mh_omsqlio) extension 1.0.11 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2009-0816 1 Typo3 1 Typo3 2026-04-23 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the backend user interface in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields.
CVE-2008-3052 1 Typo3 1 Sql Frontend Extension 2026-04-23 N/A
Unspecified vulnerability in the SQL Frontend (mh_omsqlio) extension 1.0.11 and earlier for TYPO3 allows remote attackers to cause a denial of service via unknown vectors.