Component Type: TYPO3 CMS

Release Date: July 19, 2016

Vulnerability Type: Cross-Site Scripting

Affected Versions: 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: TYPO3 ships example code from mso/idna-convert library in the vendor folder, which is vulnerable to Cross-Site Scripting.

Solution: Update to TYPO3 versions 7.6.10 or 8.2.1 that fix the problem described.

Alternative Solution: Make sure to not expose the vendor directory to the publicly accessible document root. In composer managed installation, make sure to configure a dedicated web folder. In general it is recommended to not expose the complete typo3_src sources folder in the document root.

Credits: Thanks to Frank Huber who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 19, 2016

Vulnerability Type: Environment Variable Injection

Affected Versions: Versions 8.0.0 to 8.2.0

Severity: Low

related CVE: CVE-2016-5385

Problem Description: PHP, when used as CGI, FPM or HHVM, exposes http headers also as environment variables starting with “HTTP_”. TYPO3 version 8.2.0 is vulnerable because it uses the third party library guzzlehttp/guzzlel, which makes use of the environment variable “HTTP_PROXY”. Read https://www.symfony.fi/entry/httpoxy-vulnerability-hits-php-installations-using-fastcgi-and-php-fpm-and-hhvm or https://httpoxy.org/ for further details.

Solution: Update to TYPO3 version 8.2.1 that fixes the problem described.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 19, 2016

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: All link fields within the TYPO3 installation are vulnerable to Cross-Site Scripting as authorized editors can insert data commands by using the url scheme “data:”.

Solution: Update to TYPO3 versions 6.2.26, 7.6.10 or 8.2.1 that fix the problem described. The typoLink() function disables the insecure url scheme “data:”.

Credits: Thanks to Valentin Despa who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 19, 2016

Vulnerable subcomponent: Backend

Vulnerability Type: Information Disclosure

Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: The TYPO3 backend module stores the username of an authenticated backend user in its cache files. By guessing the file path to the cache files it is possible to receive valid backend usernames.

Solution: Update to TYPO3 versions 6.2.26, 7.6.10 or 8.2.1 that fix the problem described.

Credits: Thanks to Matthias Kappenberg who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 19, 2016

Vulnerable subcomponent: Frontend Login

Vulnerability Type: SQL Injection

Affected Versions: Versions 6.2.0 to 6.2.25 and 7.6.0 to 7.6.9

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly escape user input, the frontend login component is vulnerable to SQL Injection. A valid frontend user account is needed to exploit this vulnerability.

Solution: Update to TYPO3 versions 6.2.26 or 7.6.10 that fix the problem described.

Credits: Thanks to Oliver Hader who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 19, 2016

Vulnerable subcomponent: Import/Export

Vulnerability Type: Insecure Unserialize

Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:P/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly validate incoming import data, the Import/Export component is susceptible to insecure unserialize. To exploit this vulnerability a valid backend user account is needed.

Solution: In the released TYPO3 versions 6.2.26, 7.6.10 or 8.2.1 the Import/Export module is disabled by default for non-admin users. To re-activate the Import/Export module for trusted users, please add “options.impexp.enableImportForNonAdminUser = 1” to the users TSconfig.

Credits: Thanks to Franz Jahn who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 19, 2016

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

Solution: Update to TYPO3 versions 6.2.26, 7.6.10 or 8.2.1 that fix the problem described.

Credits: Thanks to Falk Huber, Markus Bucher, Martin Heigermoser and Nicole Cordes who discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.0.3 and below

Vulnerability Type: Insecure Unserialize

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension unserializes strings from untrusted source.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension is no longer maintained and the author will not provide a security fix for the reported vulnerability. Please uninstall and delete the extension from your installation.

Credits: Credits go to the security team member Helmut Hummel who discovered and reported the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.0.0 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input.

Solution: An updated version 1.0.1 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/cc_debug/1.0.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Sebastian Fischer who discovered and reported the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 6.2.15 and below

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to Cross-Site Scripting. To exploit the vulnerability a valid backend user account is required.

Solution: An updated version 6.2.16 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/bootstrap_package/6.2.16/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Falk Huber who discovered and reported the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.