Security Audit v2.0.17

Langue
- English
- Français
Connexion / Inscription

prod

Typo3 10.4

37 vulnérabilités ont été trouvés

1 paquets abandonnés ont été trouvés

Dernière analyse : il y a 6 heures

Pas de résultat.

37 vulnérabilités ont été trouvés

#	Total	C	H	M	L
Composer	37	0	6	24	7	0

Composer

19 typo3/cms-core —— v10.4.37 +

high TYPO3 Allows Privilege Escalation to System Maintainer

Versions affectées : >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.4.0,<=10.4.49
Versions patchées : 10.4.50 11.5.44 12.4.31 13.4.12
https://github.com/advisories/GHSA-6frx-j292-c844

Signalée 20/05/2025

CVE-2025-47940

high TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler

Versions affectées : =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Versions patchées : 8.7.57 9.5.46 10.4.43 11.5.35 12.4.11 13.0.1
https://github.com/advisories/GHSA-rj3x-wvc6-5j66

Signalée 13/02/2024

CVE-2024-25121

high TYPO3 Install Tool vulnerable to Code Execution

Signalée 13/02/2024

CVE-2024-22188

medium TYPO3 Potential Open Redirect via Parsing Differences

Versions affectées : >=13.0.0,<=13.4.2|>=12.0.0,<=12.4.24|>=11.0.0,<=11.5.41|>=10.0.0,<=10.4.47|>=9.0.0,<=9.5.48
Versions patchées : 9.5.49 10.4.48 11.5.42 12.4.25 13.4.3
https://github.com/advisories/GHSA-2fx5-pggv-6jjr

Signalée 14/01/2025

CVE-2024-55892

medium TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController

Versions affectées : >=13.0.0,<=13.1.0|>=12.0.0,<=12.4.14|>=11.0.0,<=11.5.36|>=10.0.0,<=10.4.44|>=9.0.0,<=9.5.47
Versions patchées : 9.5.48 10.4.45 11.5.37 12.4.15 13.1.1
https://github.com/advisories/GHSA-hw6c-6gwq-3m3m

Signalée 14/05/2024

CVE-2024-34357

medium TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module

Signalée 14/05/2024

CVE-2024-34356

medium TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key

Signalée 13/02/2024

CVE-2024-25119

medium TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme

Signalée 13/02/2024

CVE-2024-25120

medium TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords

Signalée 13/02/2024

CVE-2024-25118

medium TYPO3-CORE-SA-2023-006: Weak Authentication in Session Handling

Versions affectées : >=8.0.0,<8.7.55|>=9.0.0,<9.5.44|>=10.0.0,<10.4.41|>=11.0.0,<11.5.33|>=12.0.0,<12.4.8
Versions patchées : 8.7.55 9.5.44 10.4.41 11.5.33 12.4.8
https://typo3.org/security/advisory/typo3-core-sa-2023-006

Signalée 14/11/2023

CVE-2023-47127

medium TYPO3 CMS exposes sensitive information in an error message

Signalée 09/09/2025

CVE-2025-59016

medium TYPO3 CMS has an open‑redirect vulnerability

Signalée 09/09/2025

CVE-2025-59013

medium TYPO3 Allows Unrestricted File Upload in File Abstraction Layer

Versions affectées : >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.0.0,<=10.4.49|>=9.0.0,<=9.5.50
Versions patchées : 9.5.51 10.4.50 11.5.44 12.4.31 13.4.12
https://github.com/advisories/GHSA-9hq9-cr36-4wpj

Signalée 20/05/2025

CVE-2025-47939

medium TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool

Versions affectées : >=10.0.0,<=10.4.54|>=11.0.0,<=11.5.48|>=12.0.0,<=12.4.40|>=13.0.0,<=13.4.22|>=14.0.0,<=14.0.1
Versions patchées : 14.0.2 13.4.23 12.4.41 11.5.49 10.4.55
https://github.com/advisories/GHSA-7vp9-x248-9vr9

Signalée 13/01/2026

CVE-2026-0859

medium TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController

Signalée 14/05/2024

CVE-2024-34358

medium Path Traversal in TYPO3 File Abstraction Layer Storages

Versions affectées : =13.0.0|>=12.0.0,<=12.4.10|>=11.0.0,<=11.5.34|>=10.0.0,<=10.4.42|>=9.0.0,<=9.5.45|>=8.0.0,<=8.7.56
Versions patchées :
https://github.com/advisories/GHSA-w6x2-jg8h-p6mp

Signalée 13/02/2024

CVE-2023-30451

low TYPO3 Unverified Password Change for Backend Users

Versions affectées : >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.0.0,<=10.4.49|>=9.0.0,<=9.5.50
Versions patchées : 9.5.51 9.5.51 10.4.50 11.5.44 12.4.31 13.4.12 10.4.50 11.5.44 12.4.31 13.4.12
https://github.com/advisories/GHSA-3jrg-97f3-rqh9

Signalée 20/05/2025

CVE-2025-47938

low Information Disclosure due to Out-of-scope Site Resolution

Versions affectées : >=12.0.0,<12.4.4|>=11.0.0,<11.5.30|>=10.0.0,<10.4.39|>=9.4.0,<9.5.42
Versions patchées : 9.5.42 10.4.39 11.5.30 12.4.4
https://github.com/advisories/GHSA-jq6g-4v5m-wm9r

Signalée 25/07/2023

CVE-2023-38499

low TYPO3 Allows Information Disclosure via DBAL Restriction Handling

Signalée 20/05/2025

CVE-2025-47937

1 typo3/cms-rte-ckeditor —— v10.4.37 +

medium Cross-Site Scripting in CKEditor4 WordCount Plugin

Versions affectées : >=11.0.0,<11.5.30|>=10.0.0,<10.4.39|>=9.5.0,<9.5.42
Versions patchées : 9.5.42 10.4.39 11.5.30
https://github.com/advisories/GHSA-m8fw-p3cr-6jqc

Signalée 25/07/2023

4 typo3/cms-backend —— v10.4.37 +

medium TYPO3 backend modules have Broken Access Control

Versions affectées : >=13.0.0,<13.4.18|>=12.0.0,<12.4.37|>=11.0.0,<11.5.48|>=10.0.0,<10.4.54|>=9.0.0,<9.5.55
Versions patchées : 12.4.37 12.4.37 12.4.37 12.4.37 13.4.18 12.4.37 12.4.37 12.4.37 12.4.37 13.4.18 12.4.37 12.4.37 12.4.37 13.4.18 13.4.18 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 13.4.18
https://github.com/advisories/GHSA-2fhw-2j7m-mr4m

Signalée 09/09/2025

CVE-2025-59017

medium TYPO3 CMS Allows Broken Access Control in Edit Document Controller

Signalée 13/01/2026

CVE-2025-59020

low Information Disclosure in TYPO3 Page Tree

Versions affectées : <11.5.40|>=12.0.0,<12.4.21|>=13.0.0,<13.3.1
Versions patchées : 13.3.1 12.4.21 11.5.40
https://github.com/advisories/GHSA-rf5m-h8q9-9w6q

Signalée 08/10/2024

CVE-2024-47780

low Denial of Service in TYPO3 Bookmark Toolbar

Versions affectées : >=10.0.0,<=10.4.45|>=11.0.0,<=11.5.39|>=12.0.0,<12.4.20|=13.0.0
Versions patchées : 13.3.1 12.4.21 11.5.40 10.4.46
https://github.com/advisories/GHSA-ffcv-v6pw-qhrp

Signalée 08/10/2024

CVE-2024-34537

2 symfony/http-foundation —— v4.4.49 +

high CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass

Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7
Versions patchées : 5.4.50 6.4.29 7.3.7 5.4.50 6.4.29 7.3.7
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass

Signalée 12/11/2025

CVE-2025-64500

low CVE-2024-50345: Open redirect via browser-sanitized URLs

Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50345

Signalée 05/11/2024

CVE-2024-50345

2 symfony/process —— v4.4.44 +

high CVE-2024-51736: Command execution hijack on Windows with Process class

Signalée 05/11/2024

CVE-2024-51736

medium Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows

Versions affectées : >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51
Versions patchées : 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5
https://github.com/advisories/GHSA-r39x-jcww-82v6

Signalée 28/01/2026

CVE-2026-24739

1 typo3/cms-belog —— v10.4.37 +

medium TYPO3 Cross-Site Request Forgery in Log Module

Versions affectées : >=13.0.0,<=13.4.2|>=12.0.0,<=12.4.24|>=11.0.0,<=11.5.41|>=10.0.0,<=10.4.47
Versions patchées : 10.4.48 11.5.42 12.4.25 13.4.3
https://github.com/advisories/GHSA-cjfr-9f5r-3q93

Signalée 14/01/2025

CVE-2024-55893

2 typo3/cms-beuser —— v10.4.37 +

medium TYPO3 backend modules have Broken Access Control

Versions affectées : >=9.0.0,<9.5.55|>=10.0.0,<10.4.54|>=11.0.0,<11.5.48|>=12.0.0,<12.4.37|>=13.0.0,<13.4.18
Versions patchées : 12.4.37 12.4.37 12.4.37 12.4.37 13.4.18 12.4.37 12.4.37 12.4.37 12.4.37 13.4.18 12.4.37 12.4.37 12.4.37 13.4.18 13.4.18 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 13.4.18
https://github.com/advisories/GHSA-2fhw-2j7m-mr4m

Signalée 09/09/2025

CVE-2025-59017

medium TYPO3 Cross-Site Request Forgery in Backend User Module

Signalée 14/01/2025

CVE-2024-55894

2 typo3/cms-dashboard —— v10.4.37 +

medium TYPO3 Cross-Site Request Forgery in Dashboard Module

Signalée 14/01/2025

CVE-2024-55920

medium TYPO3 backend modules have Broken Access Control

Versions affectées : >=13.0.0,<13.4.18|>=12.0.0,<12.4.37|>=11.0.0,<11.5.48|>=10.0.0,<10.4.54
Versions patchées : 12.4.37 12.4.37 12.4.37 12.4.37 13.4.18 12.4.37 12.4.37 12.4.37 12.4.37 13.4.18 12.4.37 12.4.37 12.4.37 13.4.18 13.4.18 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 12.4.37 13.4.18
https://github.com/advisories/GHSA-2fhw-2j7m-mr4m

Signalée 09/09/2025

CVE-2025-59017

1 typo3/cms-extensionmanager —— v10.4.37 +

high TYPO3 Extension Manager Module vulnerable to Cross-Site Request Forgery

Signalée 14/01/2025

CVE-2024-55921

1 typo3/cms-form —— v10.4.37 +

medium TYPO3 Form Framework Module vulnerable to Cross-Site Request Forgery

Signalée 14/01/2025

CVE-2024-55922

1 typo3/cms-setup —— v10.4.37 +

low TYPO3 Unverified Password Change for Backend Users

Signalée 20/05/2025

CVE-2025-47938

1 enshrined/svg-sanitize —— 0.15.4 +

medium svg-sanitizer Bypasses Attribute Sanitization

Versions affectées : <0.22.0
Versions patchées : 0.22.0
https://github.com/advisories/GHSA-22wq-q86m-83fh

Signalée 12/08/2025

CVE-2025-55166

1 paquets abandonnés ont été trouvés

Paquet abandonné	Remplacement suggéré
symfony/inflector	EnglishInflector from the String component

Badge

[![Vulnerabilities](https://audit.security.code-rhapsodie.fr/badge/018f871a-8eac-73fe-8c76-a61063f86748?type=vulnerabilities)](https://audit.security.code-rhapsodie.fr/fr/project/018f871a-8eac-73fe-8c76-a61063f86748)

[![Vulnerabilities](https://audit.security.code-rhapsodie.fr/badge/018f871a-8eac-73fe-8c76-a61063f86748?type=vulnerabilities&version=little)](https://audit.security.code-rhapsodie.fr/fr/project/018f871a-8eac-73fe-8c76-a61063f86748)

[![Abandonned](https://audit.security.code-rhapsodie.fr/badge/018f871a-8eac-73fe-8c76-a61063f86748?type=abandonned)](https://audit.security.code-rhapsodie.fr/fr/project/018f871a-8eac-73fe-8c76-a61063f86748)

[![Abandonned](https://audit.security.code-rhapsodie.fr/badge/018f871a-8eac-73fe-8c76-a61063f86748?type=abandonned&version=little)](https://audit.security.code-rhapsodie.fr/fr/project/018f871a-8eac-73fe-8c76-a61063f86748)