typo3/cms-core vulnerabilities

Known vulnerabilities in the typo3/cms-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Open Redirect	>=9.0.0, <9.5.49>=10.0.0, <10.4.48>=11.0.0, <11.5.42>=12.0.0, <12.4.25>=13.0.0, <13.4.3
L Incorrect Authorization	<11.5.40>=12.0.0, <12.4.21>=13.0.0, <13.3.1
M Improper Verification of Cryptographic Signature	>=9.0.0, <9.5.48>=10.0.0, <10.4.45>=11.0.0, <11.5.37>=12.0.0, <12.4.15>=13.0.0, <13.1.1
M Cross-site Scripting (XSS)	>=9.0.0, <9.5.48>=10.0.0, <10.4.45>=11.0.0, <11.5.37>=12.0.0, <12.4.15>=13.0.0, <13.1.1
M Cross-site Scripting (XSS)	>=9.0.0, <9.5.48>=10.0.0, <10.4.45>=11.0.0, <11.5.37>=12.0.0, <12.4.15>=13.0.0, <13.1.1
L Cross-site Scripting	>=13.0.0, <13.1.1
M Path Traversal	>=8.0.0, <8.7.30>=9.0.0, <9.5.12>=10.0.0, <10.2.2
H Improper Control of Generation of Code ('Code Injection')	<11.5.35>=12.0.0, <12.4.11>=13.0.0, <13.0.1
M Information Exposure	<11.5.35>=12.0.0, <12.4.11>=13.0.0, <13.0.1
H Exposure of Sensitive Information to an Unauthorized Actor	<11.5.35>=12.0.0, <12.4.11>=13.0.0, <13.0.1
M Exposure of Sensitive Information to an Unauthorized Actor	<11.5.35>=12.0.0, <12.4.11>=13.0.0, <13.0.1
M Directory Traversal	<13.1.0
M Authentication Bypass by Assumed-Immutable Data	<11.5.33>=12.0.0, <12.4.8
M Uncontrolled Recursion	>=9.0.0, <10.4.33>=11.0.0, <11.5.20
M Information Exposure	>=9.0.0, <10.4.33>=11.0.0, <11.5.20>=12.0.0, <12.1.1
H Arbitrary Code Execution	>=8.0.0, <8.7.49>=9.0.0, <9.5.38>=10.0.0, <10.4.33>=11.0.0, <11.5.20>=12.0.0, <12.1.1
M Access Restriction Bypass	>=8.0.0, <8.7.49>=9.0.0, <9.5.38>=10.0.0, <10.4.33>=11.0.0, <11.5.2>=12.0.0, <12.1.1
M Cross-site Scripting (XSS)	<10.4.32>=11.0.0, <11.5.16
M Denial of Service (DoS)	>=11.4.0, <11.5.16
M Timing Attack	<10.4.32>=11.0.0, <11.5.16
M Information Exposure	<10.4.29>=11.0.0, <11.1.11
M Denial of Service (DoS)	<10.4.29>=11.0.0, <11.5.11
L HTTP Header Injection	>=11.0.0, <11.5.0
H Cross-site Request Forgery (CSRF)	>=11.0.0, <11.5.0
M Cross-site Scripting (XSS)	>=11.0.0, <11.3.2>=10.0.0, <10.4.19>=9.0.0, <9.5.29>=8.0.0, <8.7.42>=0.0.0, <7.6.53
M Denial of Service (DoS)	>=7.0.0, <7.6.32>=8.0.0, <8.7.21
M Information Disclosure	>=8.0.0, <8.7.27>=9.0.0, <9.5.8
M Insecure Defaults	>=7.0.0, <7.6.32>=8.0.0, <8.7.21>=9.0.0, <9.5.2
M Session Fixation	>=8.0.0, <8.7.25>=9.0.0, <9.5.6
M Cross-site Scripting (XSS)	>=11.0.0, <11.3.1>=10.0.0, <10.4.18>=9.0.0, <9.5.28>=8.0.0, <8.7.41
M Information Exposure	>=11.0.0, <11.3.1>=10.0.0, <10.4.18>=9.0.0, <9.5.28>=8.0.0, <8.7.41>=7.0.0, <7.6.52
L Cross-site Scripting (XSS)	>=11.0.0, <11.1.1>=10.0.0, <10.4.14<9.5.25
M Information Exposure	>=11.0.0, <11.1.1>=10.0.0, <10.4.14<9.5.25
M Cross-site Scripting (XSS)	>=11.0.0, <11.1.1>=10.0.0, <10.4.14
M Cross-site Scripting (XSS)	>=11.0.0, <11.1.1>=10.2.0, <10.4.14
M Denial of Service (DoS)	>=11.0.0, <11.1.1>=10.0.0, <10.4.14>=9.0.0, <9.5.25
M Open Redirect	>=11.0.0, <11.1.1>=10.0.0, <10.4.14<9.5.25
H Cross-site Scripting (XSS)	>=11.0.0, <11.1.1>=10.0.0, <10.4.14>=8.0.0, <9.5.25
H Improper Input Validation	>=11.0.0, <11.1.1>=10.0.0, <10.4.14>=8.0.0, <9.5.25
H Privilege Escalation	>=9.0.0, <9.5.20>=10.0.0, <10.4.6
H Information Exposure	>=9.0.0, <9.5.20>=10.0.0, <10.4.6
M Cross-site Scripting (XSS)	>=10.0.0, <10.4.2>=9.0.0, <9.5.17
H Server-side Request Forgery (SSRF)	>=10.0.0, <10.4.2>=9.0.0, <9.5.17
L Information Exposure	>=10.0.0, <10.4.2
H Deserialization of Untrusted Data	>=10.0.0, <10.4.2>=9.0.0, <9.5.17
M Cross-site Scripting (XSS)	>=10.0.0, <10.4.2>=9.0.0, <9.5.17
H Deserialization of Untrusted Data	>=10.0.0, <10.4.2>=9.0.0, <9.5.17
M SQL Injection	>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30
M Arbitrary File Write via Archive Extraction (Zip Slip)	>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30
H Deserialization of Untrusted Data	>=8.0.0, <8.7.30>=9.0.0, <9.5.12
M Cross-site Scripting (XSS)	>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30
H Deserialization of Untrusted Data	>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30
M Cross-site Scripting (XSS)	>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30
M Cross-site Scripting (XSS)	>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30
H Arbitrary Code Execution	>=8.0.0, <8.7.27>=9.0.0, <9.5.8
H Deserialization of Untrusted Data	>=8.0.0, <8.7.27>=9.0.0, <9.5.8
M Cross-site Scripting (XSS)	>=8.3.0, <8.7.27>=9.0.0, <9.5.8
L Session Fixation	>=8.0.0, <8.7.27>=9.0.0, <9.5.8
C Arbitrary Code Execution	>=8.0.0, <8.7.25>=9.0.0, <9.5.6
M Improper Access Control	>=8.0.0, <8.7.25>=9.0.0, <9.5.6
M Information Exposure	>=9.0.0, <9.5.6
M Information Exposure	>=9.0.0, <9.5.6
M Cross-site Scripting (XSS)	>=8.0.0, <8.7.25>=9.0.0, <9.5.6
M Information Exposure	>=8.0.0, <8.7.23>=9.0.0, <9.5.4
M Cross-site Scripting (XSS)	>=9.0.0, <9.5.4
C Arbitrary Code Execution	>=8.0.0, <8.7.23>=9.0.0, <9.5.4
M Cross-site Scripting (XSS)	>=8.0.0, <8.7.23>=9.0.0, <9.5.4
M Cross-site Scripting (XSS)	>=8.0.0, <8.7.23>=9.0.0, <9.5.4
H Security Misconfiguration	>=8.0.0, <8.7.23>=9.0.0, <9.5.4
M Broken Access Control	>=8.0.0, <8.7.23>=9.0.0, <9.5.8
M Cross-site Scripting (XSS)	>=8.0.0, <8.7.21>=7.0.0, <7.6.32>=9.0.0, <9.5.2
M Cross-site Scripting (XSS)	>=8.0.0, <8.7.21>=7.5.0, <7.6.32>=9.0.0, <9.5.2
M Information Exposure	>=8.0.0, <8.7.21>=7.0.0, <7.6.32>=9.0.0, <9.5.2
H Denial of Service (DoS)	>=8.0.0, <8.7.21>=7.0.0, <7.6.32>=9.0.0, <9.5.2
M Denial of Service (DoS)	>=8.0.0, <8.7.21
M Cross-site Scripting (XSS)	>=7.0.0, <7.6.32>=8.5.0, <8.7.21>=9.0.0, <9.5.2
H Insecure Deserialization	>=8.5.0, <8.7.17>=9.0.0, <9.3.2
H Arbitrary Code Execution	>=7.0.0, <7.6.30>=8.0.0, <8.7.17>=9.0.0, <9.3.2
H SQL Injection	>=8.5.0, <8.7.17>=9.0.0, <9.3.2
M Improper Authentication	>=8.0.0, <8.7.17>=9.0.0, <9.3.2

Vulnerability

Vulnerable Version

Open Redirect

>=9.0.0, <9.5.49>=10.0.0, <10.4.48>=11.0.0, <11.5.42>=12.0.0, <12.4.25>=13.0.0, <13.4.3

Incorrect Authorization

<11.5.40>=12.0.0, <12.4.21>=13.0.0, <13.3.1

Improper Verification of Cryptographic Signature

>=9.0.0, <9.5.48>=10.0.0, <10.4.45>=11.0.0, <11.5.37>=12.0.0, <12.4.15>=13.0.0, <13.1.1

Cross-site Scripting (XSS)

>=9.0.0, <9.5.48>=10.0.0, <10.4.45>=11.0.0, <11.5.37>=12.0.0, <12.4.15>=13.0.0, <13.1.1

Cross-site Scripting (XSS)

>=9.0.0, <9.5.48>=10.0.0, <10.4.45>=11.0.0, <11.5.37>=12.0.0, <12.4.15>=13.0.0, <13.1.1

Cross-site Scripting

>=13.0.0, <13.1.1

Path Traversal

>=8.0.0, <8.7.30>=9.0.0, <9.5.12>=10.0.0, <10.2.2

Improper Control of Generation of Code ('Code Injection')

<11.5.35>=12.0.0, <12.4.11>=13.0.0, <13.0.1

Information Exposure

<11.5.35>=12.0.0, <12.4.11>=13.0.0, <13.0.1

Exposure of Sensitive Information to an Unauthorized Actor

<11.5.35>=12.0.0, <12.4.11>=13.0.0, <13.0.1

Exposure of Sensitive Information to an Unauthorized Actor

<11.5.35>=12.0.0, <12.4.11>=13.0.0, <13.0.1

Directory Traversal

<13.1.0

Authentication Bypass by Assumed-Immutable Data

<11.5.33>=12.0.0, <12.4.8

Uncontrolled Recursion

>=9.0.0, <10.4.33>=11.0.0, <11.5.20

Information Exposure

>=9.0.0, <10.4.33>=11.0.0, <11.5.20>=12.0.0, <12.1.1

Arbitrary Code Execution

>=8.0.0, <8.7.49>=9.0.0, <9.5.38>=10.0.0, <10.4.33>=11.0.0, <11.5.20>=12.0.0, <12.1.1

Access Restriction Bypass

>=8.0.0, <8.7.49>=9.0.0, <9.5.38>=10.0.0, <10.4.33>=11.0.0, <11.5.2>=12.0.0, <12.1.1

Cross-site Scripting (XSS)

<10.4.32>=11.0.0, <11.5.16

Denial of Service (DoS)

>=11.4.0, <11.5.16

Timing Attack

<10.4.32>=11.0.0, <11.5.16

Information Exposure

<10.4.29>=11.0.0, <11.1.11

Denial of Service (DoS)

<10.4.29>=11.0.0, <11.5.11

HTTP Header Injection

>=11.0.0, <11.5.0

Cross-site Request Forgery (CSRF)

>=11.0.0, <11.5.0

Cross-site Scripting (XSS)

>=11.0.0, <11.3.2>=10.0.0, <10.4.19>=9.0.0, <9.5.29>=8.0.0, <8.7.42>=0.0.0, <7.6.53

Denial of Service (DoS)

>=7.0.0, <7.6.32>=8.0.0, <8.7.21

Information Disclosure

>=8.0.0, <8.7.27>=9.0.0, <9.5.8

Insecure Defaults

>=7.0.0, <7.6.32>=8.0.0, <8.7.21>=9.0.0, <9.5.2

Session Fixation

>=8.0.0, <8.7.25>=9.0.0, <9.5.6

Cross-site Scripting (XSS)

>=11.0.0, <11.3.1>=10.0.0, <10.4.18>=9.0.0, <9.5.28>=8.0.0, <8.7.41

Information Exposure

>=11.0.0, <11.3.1>=10.0.0, <10.4.18>=9.0.0, <9.5.28>=8.0.0, <8.7.41>=7.0.0, <7.6.52

Cross-site Scripting (XSS)

>=11.0.0, <11.1.1>=10.0.0, <10.4.14<9.5.25

Information Exposure

>=11.0.0, <11.1.1>=10.0.0, <10.4.14<9.5.25

Cross-site Scripting (XSS)

>=11.0.0, <11.1.1>=10.0.0, <10.4.14

Cross-site Scripting (XSS)

>=11.0.0, <11.1.1>=10.2.0, <10.4.14

Denial of Service (DoS)

>=11.0.0, <11.1.1>=10.0.0, <10.4.14>=9.0.0, <9.5.25

Open Redirect

>=11.0.0, <11.1.1>=10.0.0, <10.4.14<9.5.25

Cross-site Scripting (XSS)

>=11.0.0, <11.1.1>=10.0.0, <10.4.14>=8.0.0, <9.5.25

Improper Input Validation

>=11.0.0, <11.1.1>=10.0.0, <10.4.14>=8.0.0, <9.5.25

Privilege Escalation

>=9.0.0, <9.5.20>=10.0.0, <10.4.6

Information Exposure

>=9.0.0, <9.5.20>=10.0.0, <10.4.6

Cross-site Scripting (XSS)

>=10.0.0, <10.4.2>=9.0.0, <9.5.17

Server-side Request Forgery (SSRF)

>=10.0.0, <10.4.2>=9.0.0, <9.5.17

Information Exposure

>=10.0.0, <10.4.2

Deserialization of Untrusted Data

>=10.0.0, <10.4.2>=9.0.0, <9.5.17

Cross-site Scripting (XSS)

>=10.0.0, <10.4.2>=9.0.0, <9.5.17

Deserialization of Untrusted Data

>=10.0.0, <10.4.2>=9.0.0, <9.5.17

SQL Injection

>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30

Arbitrary File Write via Archive Extraction (Zip Slip)

>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30

Deserialization of Untrusted Data

>=8.0.0, <8.7.30>=9.0.0, <9.5.12

Cross-site Scripting (XSS)

>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30

Deserialization of Untrusted Data

>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30

Cross-site Scripting (XSS)

>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30

Cross-site Scripting (XSS)

>=10.0.0, <10.2.1>=9.0.0, <9.5.12>=8.0.0, <8.7.30

Arbitrary Code Execution

>=8.0.0, <8.7.27>=9.0.0, <9.5.8

Deserialization of Untrusted Data

>=8.0.0, <8.7.27>=9.0.0, <9.5.8

Cross-site Scripting (XSS)

>=8.3.0, <8.7.27>=9.0.0, <9.5.8

Session Fixation

>=8.0.0, <8.7.27>=9.0.0, <9.5.8

Arbitrary Code Execution

>=8.0.0, <8.7.25>=9.0.0, <9.5.6

Improper Access Control

>=8.0.0, <8.7.25>=9.0.0, <9.5.6

Information Exposure

>=9.0.0, <9.5.6

Information Exposure

>=9.0.0, <9.5.6

Cross-site Scripting (XSS)

>=8.0.0, <8.7.25>=9.0.0, <9.5.6

Information Exposure

>=8.0.0, <8.7.23>=9.0.0, <9.5.4

Cross-site Scripting (XSS)

>=9.0.0, <9.5.4

Arbitrary Code Execution

>=8.0.0, <8.7.23>=9.0.0, <9.5.4

Cross-site Scripting (XSS)

>=8.0.0, <8.7.23>=9.0.0, <9.5.4

Cross-site Scripting (XSS)

>=8.0.0, <8.7.23>=9.0.0, <9.5.4

Security Misconfiguration

>=8.0.0, <8.7.23>=9.0.0, <9.5.4

Broken Access Control

>=8.0.0, <8.7.23>=9.0.0, <9.5.8

Cross-site Scripting (XSS)

>=8.0.0, <8.7.21>=7.0.0, <7.6.32>=9.0.0, <9.5.2

Cross-site Scripting (XSS)

>=8.0.0, <8.7.21>=7.5.0, <7.6.32>=9.0.0, <9.5.2

Information Exposure

>=8.0.0, <8.7.21>=7.0.0, <7.6.32>=9.0.0, <9.5.2

Denial of Service (DoS)

>=8.0.0, <8.7.21>=7.0.0, <7.6.32>=9.0.0, <9.5.2

Denial of Service (DoS)

>=8.0.0, <8.7.21

Cross-site Scripting (XSS)

>=7.0.0, <7.6.32>=8.5.0, <8.7.21>=9.0.0, <9.5.2

Insecure Deserialization

>=8.5.0, <8.7.17>=9.0.0, <9.3.2

Arbitrary Code Execution

>=7.0.0, <7.6.30>=8.0.0, <8.7.17>=9.0.0, <9.3.2

SQL Injection

>=8.5.0, <8.7.17>=9.0.0, <9.3.2

Improper Authentication

>=8.0.0, <8.7.17>=9.0.0, <9.3.2

typo3/cms-core vulnerabilities

licenses detected

Direct Vulnerabilities

How to fix?