Category Archives: Typo3

Typo3

SQL Injection in extension "Event management and registration" (sf_event_mgt)

Release Date: April 10, 2017

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.8.0 and below

Vulnerability Type: SQL Injection

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension fails to properly sanitize user input and is susceptible to SQL Injection.

Solution: An updated version 1.8.1 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/sf_event_mgt/1.8.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who discovered and reported the vulnerability.

Note: In case you extended the controller of the sf_event_mgt extension in your own extensions, be sure to apply the fix there too.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

SQL Injection in extension "News system" (news)

Release Date: April 10, 2017

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: versions 3.2.6 and below, 4.0.0 to 4.3.0 and 5.0.0 to 5.3.2

Vulnerability Type: SQL Injection

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension fails to properly sanitize user input and is susceptible to SQL Injection.

Solution: The updated versions 3.2.7 and 5.3.3 are available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/view/news. Users of the extension are advised to update the extension as soon as possible. The updated version 4.3.1 will be available from version control or via composer.

Credits: Credits go to Ambionics Security who discovered and reported the vulnerability.

Note: In case you extended the controller of the News extension in your own extensions, be sure to apply the fix there too.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Cross-Site Scripting in TYPO3 CMS

Component Type: TYPO3 CMS

Release Date: February 28, 2017

 

Vulnerability Type: Cross-Site Scripting

Affected Versions: 7.6.0 to 7.6.15 and 8.0.0 to 8.6.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode user input, several places of the TYPO3 CMS are vulnerable to Cross-Site Scripting.

Solution: Update to TYPO3 versions 7.6.16 or 8.6.1 that fix the problem described.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Authentication Bypass in TYPO3 Frontend

Component Type: TYPO3 CMS

Release Date: February 28, 2017

 

Vulnerable subcomponent: Frontend

Vulnerability Type: Authentication Bypass

Affected Versions: Versions 8.2.0 to 8.6.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Due to late TCA initialization the authentication service fails to restrict frontend user according to the validation rules. Therefore it is possible to authenticate restricted (e.g. disabled) frontend users.

Solution: Update to TYPO3 version 8.6.1 that fixes the problem described.

Credits: Thanks to Thomas Dahlke who discovered and reported the issue.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Remote Code Execution in third party library swiftmailer

Component Type: TYPO3 CMS

Release Date: January 3, 2017

 

Vulnerability Type: Remote Code Execution

Affected Versions: 6.2.0 to 6.2.29, 7.6.0 to 7.6.14 and 8.0.0 to 8.5.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: TYPO3 uses the package swiftmailer/swiftmailer for mail actions. This package is known to be vulnerable to Remote Code Execution.

Solution: Update to TYPO3 versions 6.2.30, 7.6.15 or 8.5.1 that ship an updated package.

Additional Information: The swiftmailer package has deprecated its support for mail()-Transport. To prevent a possible exploit we recommend to configure the TYPO3 MAIL settings to use any other transport method than mail. Further information about the swiftmailer vulnerability can be found at https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Path Traversal in TYPO3 Core

Component Type: TYPO3 CMS

Release Date: November 22, 2016

 

Vulnerable subcomponent: Core

Vulnerability Type: Path Traversal

Affected Versions: Versions 6.2.0 to 6.2.28, 7.6.0 to 7.6.12 and 8.0.0 to 8.4.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Due to a too loose type check in an API method, attackers could bypass the directory traversal check by providing an invalid UTF-8 encoding sequence.

Solution: Update to TYPO3 versions 6.2.29, 7.6.13 or 8.4.1 that fix the problem described.

Important Note: TYPO3 installations having file names or folder names containing invalid UTF-8 encoding, now trigger an error, when accessing these files. It is recommended to rename these files to contain valid encoding sequences.

Credits: Thanks to Gerrit Venema who discovered and reported the issue.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Insecure Unserialize in TYPO3 Backend

Component Type: TYPO3 CMS

Release Date: November 22, 2016

 

Vulnerable subcomponent: Backend

Vulnerability Type: Insecure Unserialize

Affected Versions: Versions 6.2.0 to 6.2.28, 7.6.0 to 7.6.12 and 8.0.0 to 8.4.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:P/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly validate incoming data, the suggest wizard is susceptible to insecure unserialize. To exploit this vulnerability a valid backend user account is needed.

Solution: Update to TYPO3 versions 6.2.29, 7.6.13 or 8.4.1 that fix the problem described.

 

Credits: Thanks to TYPO3 core team member Christian Kuhn who discovered and reported the issue.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Unvalidated Redirect in extension "TC Directmail" (tcdirectmail)

Release Date: November 14, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 3.1.2 and below

Vulnerability Type: Unvalidated Redirect

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension rewrites the links within a test newsletter and uses an own eID script for redirects. It fails to ensure the integrity of the provided information and uses untrusted data.

Solution: An updated version 3.1.3 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/tcdirectmail/3.1.3/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to the security team member Valentin Despa who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

SQL Injection in extension "Member Infosheets" (if_membersheet)

Release Date: November 14, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 0.1.2 and below

Vulnerability Type: SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to SQL Injection.

Solution: An updated version 0.1.3 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/if_membersheet/0.1.3/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Ingo Schmitt who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Cross Site-Scripting in extension "Secure Download Form" (rs_securedownload)

Release Date: November 14, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 0.3.2 and below

Vulnerability Type: Cross Site-Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to Cross Site-Scripting.

Solution: An updated version 0.3.3 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/rs_securedownload/0.3.3/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.