typesettercms 漏洞與 CVE 列表(14)

產品(CPE): — CVE 數: 14

typesettercms 漏洞概覽

彙總 typesettercms 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。

常見弱點模式包括 跨站腳本與CSRF,在 生產負載與軟體部署 使用場景中可能帶來 工作階段劫持 等風險。

相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。

漏洞分布趨勢(近 24 個月)

顯示 11414 CVE 數
«« 第一頁 « 上一頁 第 1 / 1 頁 下一頁 »
CVE 摘要 來源 最高 CVSS EPSS % 公開時間 更新時間
CVE-2025-71166 Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. [email protected] 4.8 0.19% 2026-01-14 2026-06-17
CVE-2025-71165 Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. [email protected] 4.8 0.19% 2026-01-14 2026-06-17
CVE-2025-71164 Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's brow [email protected] 4.8 0.19% 2026-01-14 2026-06-17
CVE-2022-25523 TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request. [email protected] 8.8 0.64% 2022-03-25 2026-06-17
CVE-2020-19511 Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes, [email protected] 6.1 0.82% 2021-06-21 2026-06-16
CVE-2020-35126 Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy. [email protected] 4.8 0.69% 2020-12-10 2026-06-16
CVE-2020-25790 Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2 [email protected] 7.2 15.58% 2020-09-19 2026-06-16
CVE-2019-20077 The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability. [email protected] 4.3 0.41% 2020-01-05 2026-06-16
CVE-2018-16639 Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation. [email protected] 5.4 0.70% 2019-05-13 2026-06-16
CVE-2018-16626 index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name. [email protected] 4.8 0.68% 2019-05-13 2026-06-16
CVE-2018-16625 index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. [email protected] 4.8 0.68% 2019-05-13 2026-06-16
CVE-2018-20837 include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS. [email protected] 4.8 0.75% 2019-05-09 2026-06-16
CVE-2018-6889 An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction. [email protected] 8.8 6.82% 2018-02-11 2026-06-16
CVE-2018-6888 An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token. [email protected] 8.0 2.04% 2018-02-11 2026-06-16
«« 第一頁 « 上一頁 第 1 / 1 頁 下一頁 »
cvelogic Threat Intelligence