Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 6.2.15 and below

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to Cross-Site Scripting. To exploit the vulnerability a valid backend user account is required.

Solution: An updated version 6.2.16 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/bootstrap_package/6.2.16/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Falk Huber who discovered and reported the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: May 31, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 0.9.6 and below

Vulnerability Type: Information Disclosure

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C

Problem Description: The extension discloses personal data of newsletter subscribers. Such data might be cached and indexed by search engines.

Solution: An updated version 0.9.7 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/mmc_directmail_subscription/0.9.7/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Loek Hilgersom who discovered the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: May 31, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 1.1.7 and below

Vulnerability Type: SQL injection, Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: Failing to properly escape user input, the extension is susceptible to SQL Injection and Cross-Site Scripting. The SQL Injection vulnerability is exploitable only by user having access to the backend module.

Solution: An updated version 1.1.8 is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/mh_httpbl/1.1.8/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Thanks to Wouter van Dongen who discovered and reported the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.6.8 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What’s that?)

Problem Description: Using an own version of the class GeneralUtility the extension div2007 is susceptible to Non-Persistent Cross-Site Scripting. Further information can be found in the TYPO3-CORE-SA-2015-009 advisory.

Solution: An updated version 1.6.9 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/div2007/1.6.9/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Stephan Großberndt who discovered and reported the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.6.8 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What’s that?)

Problem Description: Using an own version of the class GeneralUtility the extension div2007 is susceptible to Non-Persistent Cross-Site Scripting. Further information can be found in the TYPO3-CORE-SA-2015-009 advisory.

Solution: An updated version 1.6.9 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/div2007/1.6.9/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Stephan Großberndt who discovered and reported the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: May 31, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.5.8 and below

Vulnerability Type: Information Disclosure

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:W/RL:W/RC:C (What’s that?)

CVE: CVE-2014-3758

Problem Description: Files containing the answered questionnaires are stored in the “typo3temp” directory within the TYPO3 installation. As the extension uses predictable names for the questionnaire answer forms it is easy to guess file names and download answer files.

Solution: An updated version 3.0.14 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/ke_questionnaire/3.0.14/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Patrick Hof and Henri Salo who reported the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 7.4.8 and below

Vulnerability Type: SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to SQL Injection. This vulnerability is only exploitable if the Development Reporting System (DRS) is enabled and any filter is used. DRS is disabled by default.

Solution: An updated version 7.5.0 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/browser/7.5.0/t3x/. Users of the extension are advised to update the extension as soon as possible.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 4.0.3 and below

Vulnerability Type: Path Traversal

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to Path Traversal. This vulernability is only exploitable as TYPO3 backend user having access to the media backend module.

Solution: Updated versions 3.7.5 and 4.0.4 are available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/media/3.7.5/t3x/ and http://typo3.org/extensions/repository/download/media/4.0.4/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Falk Huber who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.3.0 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to Cross-Site Scripting.

Solution: Updated versions 2.3.1 and 2.0.2 are available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/formhandler/2.3.1/t3x/ and http://typo3.org/extensions/repository/download/formhandler/2.0.2/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Lubomir Stroetmann who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: May 24, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 6.2.7 and below

Vulnerability Type: Missing Access Check

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C (What’s that?)

Problem Description: Failing to properly sanitize user input, the extension might be vulnerable to information disclosure or remote code execution.

Solution: Updated versions 1.4.3, 6.0.4 and 6.2.8 are available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/sf_register/1.4.3/t3x/, http://typo3.org/extensions/repository/download/sf_register/6.0.4/t3x/ and http://typo3.org/extensions/repository/download/sf_register/6.2.8/t3x/. Users of the extension are advised to update the extension as soon as possible.

Note: Further information can be found in the TYPO3-CORE-SA-2016-013 advisory.

Credits: Credits go to Oliver Hader who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.