Typesettercms: >> Typesetter >> 5.1 Security Vulnerabilities
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-01-14
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-01-14
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-01-14
TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request.
CVSS Score
8.8
EPSS Score
0.002
Published
2022-03-25
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
CVSS Score
6.1
EPSS Score
0.003
Published
2021-06-21
Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-12-11
Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2
CVSS Score
7.2
EPSS Score
0.423
Published
2020-09-19
The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-01-05
Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-05-13
index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-05-13
Page 1