彙總 typesettercms 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本與CSRF,在 生產負載與軟體部署 使用場景中可能帶來 工作階段劫持 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2025-71166 | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | [email protected] | 4.8 | 0.19% | 2026-01-14 | 2026-06-17 |
| CVE-2025-71165 | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | [email protected] | 4.8 | 0.19% | 2026-01-14 | 2026-06-17 |
| CVE-2025-71164 | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's brow | [email protected] | 4.8 | 0.19% | 2026-01-14 | 2026-06-17 |
| CVE-2022-25523 | TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request. | [email protected] | 8.8 | 0.64% | 2022-03-25 | 2026-06-17 |
| CVE-2020-19511 | Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes, | [email protected] | 6.1 | 0.82% | 2021-06-21 | 2026-06-16 |
| CVE-2020-35126 | Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy. | [email protected] | 4.8 | 0.69% | 2020-12-10 | 2026-06-16 |
| CVE-2020-25790 | Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2 | [email protected] | 7.2 | 15.58% | 2020-09-19 | 2026-06-16 |
| CVE-2019-20077 | The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability. | [email protected] | 4.3 | 0.41% | 2020-01-05 | 2026-06-16 |
| CVE-2018-16639 | Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation. | [email protected] | 5.4 | 0.70% | 2019-05-13 | 2026-06-16 |
| CVE-2018-16626 | index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name. | [email protected] | 4.8 | 0.68% | 2019-05-13 | 2026-06-16 |
| CVE-2018-16625 | index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. | [email protected] | 4.8 | 0.68% | 2019-05-13 | 2026-06-16 |
| CVE-2018-20837 | include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS. | [email protected] | 4.8 | 0.75% | 2019-05-09 | 2026-06-16 |
| CVE-2018-6889 | An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction. | [email protected] | 8.8 | 6.82% | 2018-02-11 | 2026-06-16 |
| CVE-2018-6888 | An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token. | [email protected] | 8.0 | 2.04% | 2018-02-11 | 2026-06-16 |