Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.8.3 and below, 3.0.0 to 3.0.1

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input. The vulnerability is exploitable only if the TypoScript setting search.keepExistingParametersForNewSearches is enabled (which is disabled by default).

Solution: Updated versions 2.8.4 and 3.0.2 are available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/solr/2.8.4/t3x/ and http://typo3.org/extensions/repository/download/solr/3.0.2/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Hendrik Nadler who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 0.5.3 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:N/A:N/E:F/RL:U/RC:C (What’s that?)

Problem Description: The extension fails to properly encode extension information in its edit mask. An admin backend user is needed to exploit the vulnerability.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension is no longer maintained and the author will not provide a security fix for the reported vulnerability. Please uninstall and delete the extension from your installation.

Credits: Credits go to Oliver Klee who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 0.3.2 and below

Vulnerability Type: Cross-Site Scripting, Insecure Unserialize and Information Disclosure

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C (What’s that?)

Problem Description: Failing to sanitize user input properly, festat is vulnerable to Cross-Site Scripting, Insecure Unserialize and Information Disclosure.

Solution: An updated version 0.3.3 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/festat/0.3.3/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who discovered and reported this issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.0.0 and below

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:U/RC:C (What’s that?)

Problem Description: This extension is a fork from the extension weeaar_googlesitemap.As the original extension this fork is susceptible to Cross-Site Scripting.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension from your installation.

Credits: Credits go to Frederic Gaus who reported the fork.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 0.9.9 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:P (What’s that?)

Problem Description: The extension fails to properly sanitize data from TYPO3 fe_users records.

Solution: An updated version 0.9.11 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/listfeusers/0.9.11/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.0.1 and below

Vulnerability Type: Information Disclosure

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:N/A:N/E:H/RL:U/RC:C (What’s that?)

Problem Description: The extension saves t3d exports to a public folder. This could lead to an information disclosure.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension is no longer maintained and the author will not provide a security fix for the reported vulnerability. Please uninstall and delete the extension from your installation.

Important note: You have to remove existing t3d files from your fileadmin folder manually!

Credits: Credits go to the security team member Helmut Hummel who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: TYPO3 CMS

Release Date: February 23, 2016

Vulnerable subcomponent: Indexed Search

Vulnerability Type: Denial of Service attack

Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Due to an oversized maximum result limit, TYPO3 component Indexed Search is susceptible to a Denial of Service attack.

Solution: Update to TYPO3 versions 6.2.19 or 7.6.4 that fix the problem described.

Credits: Thanks to Jonas Felix who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: February 23, 2016

Vulnerable subcomponent: CSS styled content

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode user input, the CSS styled content component is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript.

Solution: Update to TYPO3 versions 6.2.19 or 7.6.4 that fix the problem described.

Credits: Thanks to Jakub Galczyk who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: February 23, 2016

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.18

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode incoming data, the bookmark toolbar is susceptible to Cross-Site Scripting.

Solution: Update to TYPO3 version 6.2.19 that fixes the problem described.

Credits: Thanks to Filipe Reis who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: February 23, 2016

Vulnerable subcomponent: TYPO3 CMS

Vulnerability Type: XML External Entity Processing

Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: All XML processing within the TYPO3 CMS are vulnerable to XEE processing. This can lead to load internal and/or external (file) content within an XML structure. Furthermore it is possible to inject arbitrary files for an XML Denial of Service attack. For more information on that topic see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing.

Solution: Update to TYPO3 versions 6.2.19 or 7.6.4 that fix the problem described.

Important Note: Systems using a PHP version with libxml2 >= 2.9 should be protected by default. Since version 2.9 the library changed its behavior to disallow external entity processing by default.

Credits: Thanks to security team member Marcus Krause who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.