Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: All link fields within the TYPO3 installation are vulnerable to Cross-Site Scripting as authorized editors can insert javascript commands by using the url scheme “javascript:”.

Solution: Update to TYPO3 versions 6.2.16 or 7.6.1 that fix the problem described. By default now the typoLink() function disables the insecure url scheme “javascript:”.

Important note: If your TYPO3 installation is in need of that prefix you can re-enable the old behaviour by installing the extension javascript_handler.

Credits: Thanks to Oliver Hader who discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: All link fields within the TYPO3 installation are vulnerable to Cross-Site Scripting as authorized editors can insert javascript commands by using the url scheme “javascript:”.

Solution: Update to TYPO3 versions 6.2.16 or 7.6.1 that fix the problem described. By default now the typoLink() function disables the insecure url scheme “javascript:”.

Important note: If your TYPO3 installation is in need of that prefix you can re-enable the old behaviour by installing the extension javascript_handler.

Credits: Thanks to Oliver Hader who discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript.

Solution: Update to TYPO3 versions 6.2.16 or 7.6.1 that fix the problem described.

Credits: Thanks to Markus Bucher, Corné Hannema, Heine Pedersen and Torben Jensen who discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript.

Solution: Update to TYPO3 versions 6.2.16 or 7.6.1 that fix the problem described.

Credits: Thanks to Markus Bucher, Corné Hannema, Heine Pedersen and Torben Jensen who discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerable subcomponent: Extension Manager

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly HTML encode extension data during an extension installation, TYPO3 is vulnerable to Cross-Site Scripting.

Solution: Update to TYPO3 versions 6.2.16 or 7.6.1 that fix the problem described.

Credits: Thanks to the security team member Helmut Hummel who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: December 15, 2015

Vulnerable subcomponent: Extension Manager

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly HTML encode extension data during an extension installation, TYPO3 is vulnerable to Cross-Site Scripting.

Solution: Update to TYPO3 versions 6.2.16 or 7.6.1 that fix the problem described.

Credits: Thanks to the security team member Helmut Hummel who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.0.23 and below

Vulnerability Type: Arbitrary Code Execution

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension fails to delete uploaded, invalid files which can be executed by knowing the upload folder.

Solution: An updated version 1.0.24 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/mkforms/1.0.24/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Hannes Bochmann who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.1.7 and below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:U/RC:C (What’s that?)

Problem Description: Failing to properly sanitize user-supplied input, the extension is vulnerable to SQL Injection. A valid backend login with permission to access the backend module is required to exploit this vulnerability.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension from your installation.

Credits: Credits go to Wouter van Dongen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.7.2 and below

Vulnerability Type: Cross-Site Request Forgery

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C (What’s that?)

Problem Description: The extension fails to provide CSRF protection.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension from your installation.

Note: In general the TYPO3 Security Team recommends to not use any extensions that bundle database or file management tools on production TYPO3 websites.

Credits: Credits go to Wouter van Dongen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.7.6 and below

Vulnerability Type: File Disclosure

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension includes a Zend Framework component which fails to sanitize user input properly. Further information can be found in the Security Advisory ZF2012-01.

Solution: An updated version 2.0.1 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/zend_framework/2.0.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to security team member Helmut Hummel who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.