Category Archives: Typo3

Typo3

SQL Injection in extension "Event management and registration" (sf_event_mgt)

Release Date: April 10, 2017

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.8.0 and below

Vulnerability Type: SQL Injection

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension fails to properly sanitize user input and is susceptible to SQL Injection.

Solution: An updated version 1.8.1 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/sf_event_mgt/1.8.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who discovered and reported the vulnerability.

Note: In case you extended the controller of the sf_event_mgt extension in your own extensions, be sure to apply the fix there too.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Read more

SQL Injection in extension "News system" (news)

Release Date: April 10, 2017

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: versions 3.2.6 and below, 4.0.0 to 4.3.0 and 5.0.0 to 5.3.2

Vulnerability Type: SQL Injection

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension fails to properly sanitize user input and is susceptible to SQL Injection.

Solution: The updated versions 3.2.7 and 5.3.3 are available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/view/news. Users of the extension are advised to update the extension as soon as possible. The updated version 4.3.1 will be available from version control or via composer.

Credits: Credits go to Ambionics Security who discovered and reported the vulnerability.

Note: In case you extended the controller of the News extension in your own extensions, be sure to apply the fix there too.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Read more

Cross-Site Scripting in TYPO3 CMS

Component Type: TYPO3 CMS

Release Date: February 28, 2017

 

Vulnerability Type: Cross-Site Scripting

Affected Versions: 7.6.0 to 7.6.15 and 8.0.0 to 8.6.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode user input, several places of the TYPO3 CMS are vulnerable to Cross-Site Scripting.

Solution: Update to TYPO3 versions 7.6.16 or 8.6.1 that fix the problem described.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Read more

Authentication Bypass in TYPO3 Frontend

Component Type: TYPO3 CMS

Release Date: February 28, 2017

 

Vulnerable subcomponent: Frontend

Vulnerability Type: Authentication Bypass

Affected Versions: Versions 8.2.0 to 8.6.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Due to late TCA initialization the authentication service fails to restrict frontend user according to the validation rules. Therefore it is possible to authenticate restricted (e.g. disabled) frontend users.

Solution: Update to TYPO3 version 8.6.1 that fixes the problem described.

Credits: Thanks to Thomas Dahlke who discovered and reported the issue.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Read more

Remote Code Execution in third party library swiftmailer

Component Type: TYPO3 CMS

Release Date: January 3, 2017

 

Vulnerability Type: Remote Code Execution

Affected Versions: 6.2.0 to 6.2.29, 7.6.0 to 7.6.14 and 8.0.0 to 8.5.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: TYPO3 uses the package swiftmailer/swiftmailer for mail actions. This package is known to be vulnerable to Remote Code Execution.

Solution: Update to TYPO3 versions 6.2.30, 7.6.15 or 8.5.1 that ship an updated package.

Additional Information: The swiftmailer package has deprecated its support for mail()-Transport. To prevent a possible exploit we recommend to configure the TYPO3 MAIL settings to use any other transport method than mail. Further information about the swiftmailer vulnerability can be found at https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Read more

Path Traversal in TYPO3 Core

Component Type: TYPO3 CMS

Release Date: November 22, 2016

 

Vulnerable subcomponent: Core

Vulnerability Type: Path Traversal

Affected Versions: Versions 6.2.0 to 6.2.28, 7.6.0 to 7.6.12 and 8.0.0 to 8.4.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Due to a too loose type check in an API method, attackers could bypass the directory traversal check by providing an invalid UTF-8 encoding sequence.

Solution: Update to TYPO3 versions 6.2.29, 7.6.13 or 8.4.1 that fix the problem described.

Important Note: TYPO3 installations having file names or folder names containing invalid UTF-8 encoding, now trigger an error, when accessing these files. It is recommended to rename these files to contain valid encoding sequences.

Credits: Thanks to Gerrit Venema who discovered and reported the issue.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Read more

Insecure Unserialize in TYPO3 Backend

Component Type: TYPO3 CMS

Release Date: November 22, 2016

 

Vulnerable subcomponent: Backend

Vulnerability Type: Insecure Unserialize

Affected Versions: Versions 6.2.0 to 6.2.28, 7.6.0 to 7.6.12 and 8.0.0 to 8.4.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:P/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly validate incoming data, the suggest wizard is susceptible to insecure unserialize. To exploit this vulnerability a valid backend user account is needed.

Solution: Update to TYPO3 versions 6.2.29, 7.6.13 or 8.4.1 that fix the problem described.

 

Credits: Thanks to TYPO3 core team member Christian Kuhn who discovered and reported the issue.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Read more

Unvalidated Redirect in extension "TC Directmail" (tcdirectmail)

Release Date: November 14, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 3.1.2 and below

Vulnerability Type: Unvalidated Redirect

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension rewrites the links within a test newsletter and uses an own eID script for redirects. It fails to ensure the integrity of the provided information and uses untrusted data.

Solution: An updated version 3.1.3 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/tcdirectmail/3.1.3/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to the security team member Valentin Despa who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Read more

SQL Injection in extension "Member Infosheets" (if_membersheet)

Release Date: November 14, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 0.1.2 and below

Vulnerability Type: SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to SQL Injection.

Solution: An updated version 0.1.3 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/if_membersheet/0.1.3/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Ingo Schmitt who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Read more

Cross Site-Scripting in extension "Secure Download Form" (rs_securedownload)

Release Date: November 14, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 0.3.2 and below

Vulnerability Type: Cross Site-Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to Cross Site-Scripting.

Solution: An updated version 0.3.3 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/rs_securedownload/0.3.3/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Read more