Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ Medium CVE-2020-11069: Typo3 Typo3
Team IT Security Nachrichtenportal Logo




๐Ÿ“š Medium CVE-2020-11069: Typo3 Typo3


๐Ÿ’ก Newskategorie: Sicherheitslรผcken
๐Ÿ”— Quelle: cxsecurity.com

In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it's actually a same-site request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g. file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack. This has been fixed in 9.5.17 and 10.4.2. The deployment of additional mitigation techniques is suggested as described below. - Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed again by the acting user providing their password again. This technique is known as sudo mode. This way, unintended actions happening in the background can be mitigated. - https://github.com/FriendsOfTYPO3/sudo-mode - https://extensions.typo3.org/extension/sudo_mode - Content Security Policy Content Security Policies tell (modern) browsers how resources served a particular site are handled. It is also possible to disallow script executions for specific locations. In a TYPO3 context, it is suggested to disallow direct script execution at least for locations /fileadmin/ and /uploads/. ...



๐Ÿ“Œ Medium CVE-2019-12747: Typo3 Typo3


๐Ÿ“ˆ 28.8 Punkte

๐Ÿ“Œ Low CVE-2019-12748: Typo3 Typo3


๐Ÿ“ˆ 23.75 Punkte

๐Ÿ“Œ CVE-2023-30451 | TYPO3 11.5.24 /typo3/record/edit path traversal (ID 176274)


๐Ÿ“ˆ 23.75 Punkte

๐Ÿ“Œ Vuln: TYPO3 Core TYPO3-SA-2010-012 Multiple Remote Security Vulnerabilities


๐Ÿ“ˆ 22.76 Punkte

๐Ÿ“Œ TYPO3-Anleitung: So erstellen Sie Ihre eigene Website mit TYPO3


๐Ÿ“ˆ 22.76 Punkte

๐Ÿ“Œ Vuln: TYPO3 CVE-2017-6370 Information Disclosure Vulnerability


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 1.1.09 cross site scripting [CVE-2008-2182]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 1.2.0 cross site scripting [CVE-2008-2452]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 0.1.2 sql injection [CVE-2008-2451]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 0.1.2 cross site scripting [CVE-2008-2450]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 phpMyAdmin 0.2.2/3.0/3.0.1 cross site scripting [CVE-2008-3032]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 Mannschaftsliste 1.0.3 sql injection [CVE-2008-4659]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 JobControl up to 1.9.5 sql injection [CVE-2008-4658]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 simplesurvey up to 1.7.0 sql injection [CVE-2008-4655]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 4.2.0/4.2.1/4.2.2 cross site scripting [CVE-2008-5656]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 4.2.2 cross site scripting [CVE-2008-5644]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 autobeuser 0.0.2 sql injection [CVE-2008-6459]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 4.1 sql injection [CVE-2008-6594]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 bis 6.2.15/7.6.0 Cross Site Scripting [CVE-2015-8758]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ LDAP SSO Authentication 2.0.0 on TYPO3 weak authentication [CVE-2015-1401]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 up to 8.7.26/9.5.7 cross site scripting [CVE-2019-12748]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ Low CVE-2021-28380: Typo3 Aimeos


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 up to 9.5.24/10.4.13/11.1.0 information exposure [CVE-2021-21359]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ #0daytoday #TYPO3 6.2.1 SQL Injection Exploit CVE-2021-31777 [webapps #exploits #0day #Exploit]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ CVE-2022-31050 | TYPO3 up to 9.5.33 ELTS/10.4.28/11.5.10 Backend User Interface session expiration (GHSA-wwjw-r3gj-39fq)


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ CVE-2015-8758 | TYPO3 up to 6.2.15/7.6.0 cross site scripting (BID-79240 / ID 1034484)


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ CVE-2015-8757 | TYPO3 up to 6.2.15/7.6.0 Extension Manager cross site scripting (BID-79254 / ID 1034482)


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ TYPO3 bis 6.2.15/7.6.0 Cross Site Scripting [CVE-2015-8758]


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ CVE-2015-8756 | TYPO3 up to 6.2.15 Indexed Search cross site scripting (ID 1034486 / ID 100641)


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ CVE-2015-8755 | TYPO3 up to 6.2.15/7.6.0 Backend cross site scripting (BID-79236 / ID 1034483)


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ CVE-2015-8760 | TYPO3 up to 6.2.15 Flvplayer External input validation (BID-79210 / ID 1034485)


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ CVE-2022-33157 | libconnect Extension up to 7.0.7/8.0.x on TYPO3 cross site scripting


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ CVE-2022-33156 | matomo_integration Extension up to 1.3.1 on TYPO3 cross site scripting


๐Ÿ“ˆ 12.37 Punkte

๐Ÿ“Œ CVE-2022-33155 | ameos_tarteaucitron Extension up to 1.2.22 on TYPO3 cross site scripting


๐Ÿ“ˆ 12.37 Punkte











matomo