The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of TYPO3 Core

vulnerability alert 29241

TYPO3 Core: weak mode of password storage

Synthesis of the vulnerability

Passwords are stored after being hashed without salt, which allows parallel dictionary attacks.
Impacted products: TYPO3 Core.
Severity: 1/4.
Consequences: data reading.
Provenance: privileged account.
Creation date: 07/05/2019.
Identifiers: TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-29241.

Description of the vulnerability

Passwords are stored after being hashed without salt, which allows parallel dictionary attacks.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-8331

Pivotal Ops Manager: Cross Site Scripting via Bootstrap

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Bootstrap of Pivotal Ops Manager, in order to run JavaScript code in the context of the web site.
Impacted products: IBM API Connect, TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 08/03/2019.
Identifiers: CVE-2019-8331, ibm10879483, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-28700.

Description of the vulnerability

The Pivotal Ops Manager product offers a web service.

However, it does not filter received data via Bootstrap before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Bootstrap of Pivotal Ops Manager, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 28326

TYPO3 Core: Cross Site Scripting via Flash WebSVG Component

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Flash WebSVG Component of TYPO3 Core, in order to run JavaScript code in the context of the web site.
Impacted products: TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 22/01/2019.
Identifiers: TYPO3-PSA-2019-003, VIGILANCE-VUL-28326.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via Flash WebSVG Component of TYPO3 Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability 28000

TYPO3 Core: eight vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of TYPO3 Core.
Impacted products: TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights, data reading, denial of service on service.
Provenance: internet client.
Creation date: 11/12/2018.
Identifiers: TYPO3-CORE-SA-2018-005, TYPO3-CORE-SA-2018-006, TYPO3-CORE-SA-2018-007, TYPO3-CORE-SA-2018-008, TYPO3-CORE-SA-2018-009, TYPO3-CORE-SA-2018-010, TYPO3-CORE-SA-2018-011, TYPO3-CORE-SA-2018-012, VIGILANCE-VUL-28000.

Description of the vulnerability

An attacker can use several vulnerabilities of TYPO3 Core.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 27837

TYPO3 Core: information disclosure via NGINX

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via NGINX of TYPO3 Core, in order to obtain sensitive information.
Impacted products: TYPO3 Core.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 20/11/2018.
Identifiers: TYPO3-PSA-2018-002, VIGILANCE-VUL-27837.

Description of the vulnerability

An attacker can bypass access restrictions to data via NGINX of TYPO3 Core, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 26729

TYPO3 Core: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of TYPO3 Core.
Impacted products: TYPO3 Core.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 12/07/2018.
Identifiers: TYPO3-CORE-SA-2018-001, TYPO3-CORE-SA-2018-002, TYPO3-CORE-SA-2018-003, TYPO3-CORE-SA-2018-004, VIGILANCE-VUL-26729.

Description of the vulnerability

An attacker can use several vulnerabilities of TYPO3 Core.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-6905

TYPO3 Core: Cross Site Scripting via Site Name

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Site Name of TYPO3 Core, in order to run JavaScript code in the context of the web site.
Impacted products: TYPO3 Core.
Severity: 1/4.
Consequences: client access/rights.
Provenance: privileged account.
Creation date: 09/04/2018.
Identifiers: 84191, CVE-2018-6905, VIGILANCE-VUL-25799.

Description of the vulnerability

The Core extension can be installed on TYPO3.

However, it does not filter received data via Site Name before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Site Name of TYPO3 Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability 23730

TYPO3 Core: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of TYPO3 Core.
Impacted products: TYPO3 Core.
Severity: 3/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 05/09/2017.
Identifiers: TYPO3-CORE-SA-2017-004, TYPO3-CORE-SA-2017-005, TYPO3-CORE-SA-2017-006, TYPO3-CORE-SA-2017-007, VIGILANCE-VUL-23730.

Description of the vulnerability

Several vulnerabilities were announced in TYPO3 Core.

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; TYPO3-CORE-SA-2017-004]

An attacker can bypass security features via Protected Storages, in order to obtain sensitive information. [severity:1/4; TYPO3-CORE-SA-2017-005]

An attacker can bypass security features via API, in order to obtain sensitive information. [severity:1/4; TYPO3-CORE-SA-2017-006]

An attacker can use a vulnerability via pht, in order to run code. [severity:3/4; TYPO3-CORE-SA-2017-007]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 21978

TYPO3 Core: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of TYPO3 Core.
Impacted products: TYPO3 Core.
Severity: 2/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/02/2017.
Identifiers: TYPO3-CORE-SA-2017-002, TYPO3-CORE-SA-2017-003, VIGILANCE-VUL-21978.

Description of the vulnerability

Several vulnerabilities were announced in TYPO3 Core.

An attacker can bypass security features via TCA Initialization, in order to escalate his privileges. [severity:2/4; TYPO3-CORE-SA-2017-002]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; TYPO3-CORE-SA-2017-003]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-10074

SwiftMailer: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of SwiftMailer, in order to run code.
Impacted products: Contao, Debian, Fedora, TYPO3 Core, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 30/12/2016.
Identifiers: CVE-2016-10074, DLA-792-1, DSA-3769-1, FEDORA-2016-b65e546846, FEDORA-2016-f7ef82c1b4, VIGILANCE-VUL-21487.

Description of the vulnerability

An attacker can use a vulnerability of SwiftMailer, in order to run code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about TYPO3 Core: