Component Type: TYPO3 CMS

Release Date: February 16, 2016

Vulnerable subcomponent: form component

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.17

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to sanitize content from unauthenticated  website visitors, the form component is susceptible to Cross-Site Scripting.

Solution: Update to TYPO3 version 6.2.18 that fixes the problem described.

Credits: Thanks to David Vieira-Kurz who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: February 16, 2016

Vulnerable subcomponent: legacy form component

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.17

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to sanitize content from editors, the legacy form component is susceptible to Cross-Site Scripting. A valid editor account with access to a form content element is required to exploit this vulnerability.

Solution: Update to TYPO3 version 6.2.18 that fixes the problem described.

Credits: Thanks to Georg Ringer who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: February 16, 2016

Vulnerable subcomponent: link validator

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.17 and 7.6.0 to 7.6.2

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to sanitize content from editors, the link validator component is susceptible to Cross-Site Scripting. A valid editor account with access to content which is scanned by the link validator component is required to exploit this vulnerability

Solution: Update to TYPO3 versions 6.2.18 or 7.6.3 that fix the problem described.

Credits: Thanks to Steffen Müller who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: February 16, 2016

Vulnerable subcomponent: Dbal

Vulnerability Type: SQL Injection

Affected Versions: Versions 6.2.0 to 6.2.17

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: A flaw in the database escaping API results in a SQL injection vulnerability when extension dbal is enabled and configured for MySQL passthrough mode in its extension configuration. All queries which use the DatabaseConnection::sql_query are vulnerable, even if arguments were properly escaped with DatabaseConnection::quoteStr beforehand.

Solution: Update to TYPO3 versions 6.2.18 that fix the problem described.

Credits: Thanks to Mohamed Rebai who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerable subcomponent: Indexed Search

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.15

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode editor input, the search result view of indexed_search is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

Solution: Update to TYPO3 versions 6.2.16 that fix the problem described.

Credits: Thanks to Dmitry Dulepov who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerable subcomponent: Indexed Search

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.15

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode editor input, the search result view of indexed_search is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

Solution: Update to TYPO3 versions 6.2.16 that fix the problem described.

Credits: Thanks to Dmitry Dulepov who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerable subcomponent: Flvplayer

Vulnerability Type:

Affected Versions: Versions 6.2.0 to 6.2.15

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: The flashplayer misses to validate flash and image files. Therefore it is possible to embed flash videos from external domains.

Solution: Update to TYPO3 versions 6.2.16 that fix the problem described.

Credits: Thanks to Heiko Kromm who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerable subcomponent: Flvplayer

Vulnerability Type:

Affected Versions: Versions 6.2.0 to 6.2.15

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: The flashplayer misses to validate flash and image files. Therefore it is possible to embed flash videos from external domains.

Solution: Update to TYPO3 versions 6.2.16 that fix the problem described.

Credits: Thanks to Heiko Kromm who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerable subcomponent: Frontend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode editor input, several frontend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

Solution: Update to TYPO3 versions 6.2.16 or 7.6.1 that fix the problem described.

Important Note: Please pay attention that these fixes add default TypoScript settings. If you overwrite or delete the provided TypoScript for css_styled_content and/or fe_login make sure you add the htmlspecialchars function on your own. These are the TypoScript settings that need to be changed to apply proper HTML encoding to editor content:

plugin.tx_felogin_pi1 {
     welcomeHeader_stdWrap {
         htmlSpecialChars = 1
     }
     welcomeMessage_stdWrap {
         htmlSpecialChars = 1
     }
     successHeader_stdWrap {
         htmlSpecialChars = 1
     }
     successMessage_stdWrap {
         htmlSpecialChars = 1
     }
     logoutHeader_stdWrap {
         htmlSpecialChars = 1
     }
     logoutMessage_stdWrap {
         htmlSpecialChars = 1
     }
     errorHeader_stdWrap {
         htmlSpecialChars = 1
     }
     errorMessage_stdWrap {
         htmlSpecialChars = 1
     }
     forgotHeader_stdWrap {
         htmlSpecialChars = 1
     }
     forgotMessage_stdWrap {
         htmlSpecialChars = 1
     }
     forgotErrorMessage_stdWrap {
         htmlSpecialChars = 1
     }
     forgotResetMessageEmailSentMessage_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordNotValidMessage_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordTooShortMessage_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordNotEqualMessage_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordHeader_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordMessage_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordDoneMessage_stdWrap {
         htmlSpecialChars = 1
     }
     cookieWarning_stdWrap {
         htmlSpecialChars = 1
     }
 }

 tt_content.table {
     20.innerStdWrap.parseFunc >
     20.innerStdWrap.htmlSpecialChars = 1
 }

 tt_content.bullets.20.split {
     1.parseFunc >
     1.htmlSpecialChars = 1

     2.parseFunc >
     2.htmlSpecialChars = 1
 }


 tt_content.image.20.1.altText {
     stripHtml >
     htmlSpecialChars = 1
 }

 tt_content.image.20.caption.1.1 {
     parseFunc >
     htmlSpecialChars = 1
 }

Please note, that in case editors were allowed to edit HTML in your particular installation, that you need to adapt the TypoScript to allow HTML input again. Be aware however that your editors will have full control over HTML, which equals to having permission to create HTML content elements.

Credits: Thanks to Nils Juenemann and the security team member Georg Ringer who discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerable subcomponent: Frontend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode editor input, several frontend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

Solution: Update to TYPO3 versions 6.2.16 or 7.6.1 that fix the problem described.

Important Note: Please pay attention that these fixes add default TypoScript settings. If you overwrite or delete the provided TypoScript for css_styled_content and/or fe_login make sure you add the htmlspecialchars function on your own. These are the TypoScript settings that need to be changed to apply proper HTML encoding to editor content:

plugin.tx_felogin_pi1 {
     welcomeHeader_stdWrap {
         htmlSpecialChars = 1
     }
     welcomeMessage_stdWrap {
         htmlSpecialChars = 1
     }
     successHeader_stdWrap {
         htmlSpecialChars = 1
     }
     successMessage_stdWrap {
         htmlSpecialChars = 1
     }
     logoutHeader_stdWrap {
         htmlSpecialChars = 1
     }
     logoutMessage_stdWrap {
         htmlSpecialChars = 1
     }
     errorHeader_stdWrap {
         htmlSpecialChars = 1
     }
     errorMessage_stdWrap {
         htmlSpecialChars = 1
     }
     forgotHeader_stdWrap {
         htmlSpecialChars = 1
     }
     forgotMessage_stdWrap {
         htmlSpecialChars = 1
     }
     forgotErrorMessage_stdWrap {
         htmlSpecialChars = 1
     }
     forgotResetMessageEmailSentMessage_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordNotValidMessage_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordTooShortMessage_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordNotEqualMessage_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordHeader_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordMessage_stdWrap {
         htmlSpecialChars = 1
     }
     changePasswordDoneMessage_stdWrap {
         htmlSpecialChars = 1
     }
     cookieWarning_stdWrap {
         htmlSpecialChars = 1
     }
 }

 tt_content.table {
     20.innerStdWrap.parseFunc >
     20.innerStdWrap.htmlSpecialChars = 1
 }

 tt_content.bullets.20.split {
     1.parseFunc >
     1.htmlSpecialChars = 1

     2.parseFunc >
     2.htmlSpecialChars = 1
 }


 tt_content.image.20.1.altText {
     stripHtml >
     htmlSpecialChars = 1
 }

 tt_content.image.20.caption.1.1 {
     parseFunc >
     htmlSpecialChars = 1
 }

Please note, that in case editors were allowed to edit HTML in your particular installation, that you need to adapt the TypoScript to allow HTML input again. Be aware however that your editors will have full control over HTML, which equals to having permission to create HTML content elements.

Credits: Thanks to Nils Juenemann and the security team member Georg Ringer who discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.