Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.4.1 and below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:P/F:P/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: Failing to properly sanitize user-supplied input, the extension is vulnerable to SQL-Injection.

Solution: An updated version 1.4.2 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/wt_directory/1.4.2/t3x/. Users of the extension are advised to update the extension as soon as possible. Please note: The extension author is no longer maintaining this extension. Therefore it is marked as obsolete and should not longer be used.

Credits: Credits go to Marc Bastian Heinrichs who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.2.0 and below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:P/E:F/RL:U/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: Failing to properly sanitize user-supplied input, the extension is vulnerable to SQL-Injection.

Solution: An updated version 1.2.1 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/js_faq/1.2.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.1.1 and below

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:U/RC:C (What’s that?)

Problem Description: The extension fails to properly escape user input in HTML context.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author is no longer maintaining this extension. Please uninstall and delete the extension folder from your installation.

Credits: Credits go to Torben Hansen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.11.3 and below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:P/E:F/RL:U/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: Failing to properly sanitize user-supplied input, the extension is vulnerable to SQL-Injection. Only editors with permissions to access the devlog backend module will be able to exploit this vulnerability.

Solution: An updated version 2.11.4 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/devlog/2.11.4/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Wouter van Dongen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.0.8 and below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:P/E:F/RL:U/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: Failing to properly sanitize user-supplied input, the extension is vulnerable to SQL-Injection.

Solution: An updated version 1.0.9 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/ncgov_smoelenboek/1.0.9/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Wouter van Dongen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: TYPO3 Neos

Release Date: March 28, 2015

Bulletin Update: none

Vulnerability Type: Authentication Bypass

Affected Versions: 1.1.0 to 1.1.2 and 1.2.0 to 1.2.2

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: It has been discovered that TYPO3 Neos is vulnerable to Privilege Escalation. Logged in editors could access, create and modify content nodes that exist in the workspace of other editors.

Solution: Update to TYPO3 Neos versions 1.1.3 or 1.2.3 that fix the problem described.

Credits: Thanks to Robert Lemke who discovered and to Andreas Förthner who reported and fixed the vulnerability.

General Advice: Please subscribe to the typo3-announce mailing list.

Component Type: TYPO3 CMS

Vulnerability Types: Authentication Bypass

Overall Severity: Critical

Release Date: February 19, 2015

Vulnerable subcomponent: rsaauth system extension

Vulnerability Type: Authentication Bypass

Affected Versions: Versions 4.3.0 to 4.3.14, 4.4.0 to 4.4.15, 4.5.0 to 4.5.39 and 4.6.0 to 4.6.18

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: It has been discovered that TYPO3 CMS is vulnerable to Authentication Bypass. Frontend users can be authenticated by only knowing their username.

TYPO3 installations are affected, if all of the following applies:

• TYPO3 Version 4.3.0 to 4.3.14, 4.4.0 to 4.4.15, 4.5.0 to 4.5.39 or 4.6.0 to 4.6.18
• users/access restricted frontend area (frontend login)
• system extension rsaauth is loaded
• system extension rsaauth is configured for frontend usage like that:

  $GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] = 'rsa'

TYPO3 installations are not affected, if at least one of the following applies:

• TYPO3 Version 4.7.0 or higher
• no users/access restricted frontend area (TYPO3 Backend authentication is not affected)
• system extension rsaauth is not loaded (default)
• system extension rsaauth is not configured for frontend usage like that (default):

  $GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] = 'rsa'

Solution: Update to TYPO3 version 4.5.40 that fixes the problem described. Alternatively use the provided shell script to patch all affected TYPO3 versions (all between 4.3 and 4.6) that are found in a specified directory or use the diff file to patch the installations manually.

Important Note: Updating or patching your installations to fix this CRITICAL vulnerability is STRONGLY ADVISED!

Credits: Thanks to Pierrick Caillon who discovered and reported the vulnerability and to Security Team Member Nicole Cordes for developing a fix and providing the shell script.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: gridelements: Versions 3.0.0, 2.1.2 and below

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension fails to properly escape user input in HTML context. Backend Editor permissions with access to any text field within any data table are required to exploit this vulnerability.

Solution: Updated versions 3.0.1 and 2.1.3 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/gridelements/3.0.1/t3x/ and http://typo3.org/extensions/repository/download/gridelements/2.1.3/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Sven Jürgens who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: January 16, 2015

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 2.0.1

Vulnerability Type: Information Disclosure

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C

Problem Description: The extension discloses personal data of newsletter subscribers. Such data might be cached and indexed by search engines.

Solution: Updated version 2.0.2 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/direct_mail_subscription/2.0.2/t3x/. If you are using a custom template, please consider the removal of name and email markers throughout the template!

Credits: Credits go to Ingo Müller and Stefan Neufeind who discovered the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.