Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the system extension recycler.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-11-06
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.
CVSS Score
4.8
EPSS Score
0.001
Published
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.
CVSS Score
6.5
EPSS Score
0.009
Published
2019-11-05
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 allows XSS in the textarea view helper in an extbase extension.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-11-05
TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API.
CVSS Score
5.3
EPSS Score
0.005
Published
2019-11-05
TYPO3 before 4.4.1 allows XSS in the frontend search box.
CVSS Score
6.1
EPSS Score
0.005
Published
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Header Injection in the secure download feature jumpurl.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-11-04
TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS and Open Redirection in the frontend login box.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-11-04
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-11-04
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.
CVSS Score
8.8
EPSS Score
0.031
Published
2019-11-04