Typesetter

typesetter

Vendor: Typesettercms • 14 CVEs

CVEs (14)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-71166 1Typesettercms 1Typesetter Jan 21, 2026 Jan 14, 2026 4.8 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected...Show more Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.Show less
CVE-2025-71165 1Typesettercms 1Typesetter Jan 21, 2026 Jan 14, 2026 4.8 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the...Show more Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.Show less
CVE-2025-71164 1Typesettercms 1Typesetter Jan 21, 2026 Jan 14, 2026 4.8 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an H...Show more Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.Show less
CVE-2022-25523 1Typesettercms 1Typesetter Nov 21, 2024 Mar 25, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request.
CVE-2020-19511 1Typesettercms 1Typesetter Nov 21, 2024 Jun 21, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
CVE-2020-35126 1Typesettercms 1Typesetter Nov 21, 2024 Dec 11, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy.
CVE-2020-25790 1Typesettercms 1Typesetter Nov 21, 2024 Sep 19, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustwo...Show more Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2Show less
CVE-2019-20077 1Typesettercms 1Typesetter Nov 21, 2024 Jan 5, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability.
CVE-2018-16639 1Typesettercms 1Typesetter Nov 21, 2024 May 13, 2019 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation.
CVE-2018-16626 1Typesettercms 1Typesetter Nov 21, 2024 May 13, 2019 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name.
CVE-2018-16625 1Typesettercms 1Typesetter Nov 21, 2024 May 13, 2019 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.
CVE-2018-20837 1Typesettercms 1Typesetter Nov 21, 2024 May 9, 2019 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.
CVE-2018-6889 1Typesettercms 1Typesetter Nov 21, 2024 Feb 12, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger ar...Show more An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction.Show less
CVE-2018-6888 1Typesettercms 1Typesetter Nov 21, 2024 Feb 12, 2018 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingl...Show more An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token.Show less