Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 7.0.1 and below

Vulnerability Type: Information Disclosure

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to ensure TYPO3 user authentication and will output the user name of the PHP process. In certain server setups, when the user of the PHP process can also access the database without password, it is possible to perform database operations with the permissions of this user. The extension t3adminer must only be present in the TYPO3 installation but does not need to be activated to exploit this vulnerability.

Solution: Updated versions 1.4.1 and 7.0.2 are available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/t3adminer/1.4.1/t3x/ and http://typo3.org/extensions/repository/download/t3adminer/7.0.2/t3x/. Users of the extension are advised to update the extension as soon as possible.

Note: In general the TYPO3 Security Team recommends to not use any extensions that bundle database or file management tools on production TYPO3 websites.

Credits: Credits go to Harald Amelung who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 3.2.1 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension fails to properly encode user input in the paginate widget. This is only exploitable when extension cooluri is used or if realurl is used and the configuration option doNotRawUrlEncodeParameterNames is enabled.

Solution: An updated version 3.2.2 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/news/3.2.2/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Marc Willmann who reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 2.8.18 and below

Vulnerability Type: Information Disclosure

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C (What’s that?)

Problem Description: The extension turns on PHP error output. When the ldap service is enabled in configuration for backend or frontend, PHP errors can be shown during login process, which would disclose the full server path.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author is no longer maintaining this extension. Please uninstall and delete the extension folder from your installation.

Credits: Credits go to security team member Nicole Cordes who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.0.23 and below

Vulnerability Type: Arbitrary Code Execution

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension fails to delete uploaded, invalid files which can be executed by knowing the upload folder.

Solution: An updated version 1.0.24 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/mkforms/1.0.24/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Hannes Bochmann who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.1.7 and below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:U/RC:C (What’s that?)

Problem Description: Failing to properly sanitize user-supplied input, the extension is vulnerable to SQL Injection. A valid backend login with permission to access the backend module is required to exploit this vulnerability.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension from your installation.

Credits: Credits go to Wouter van Dongen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.7.2 and below

Vulnerability Type: Cross-Site Request Forgery

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C (What’s that?)

Problem Description: The extension fails to provide CSRF protection.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension from your installation.

Note: In general the TYPO3 Security Team recommends to not use any extensions that bundle database or file management tools on production TYPO3 websites.

Credits: Credits go to Wouter van Dongen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.7.6 and below

Vulnerability Type: File Disclosure

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension includes a Zend Framework component which fails to sanitize user input properly. Further information can be found in the Security Advisory ZF2012-01.

Solution: An updated version 2.0.1 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/zend_framework/2.0.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to security team member Helmut Hummel who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: TYPO3 CMS

Release Date: September 8, 2015

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.14, 7.0.0 to 7.3.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C

CVE: CVE-2015-5956

Problem Description: It has been discovered, that it is possible to forge a link to a backend module, which contains a JavaScript payload. This JavaScript is executed, if an authenticated editor with access to the module follows the link and after that, is tricked to click on a certain HTML target. Because TYPO3 versions 7.4.0 and above include a secret token unknown to an attacker in every URL, an exploit would not be feasible for these versions.

Solution: Update to TYPO3 versions 6.2.15 or 7.4.0 that fix the problem described.

Credits: Thanks to Julien Ahrens (secunet Security Networks AG) who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: September 8, 2015

Vulnerable subcomponent: Frontend

Vulnerability Type: Information Disclosure

Affected Versions: Versions 6.2.0 to 6.2.14, 7.0.0 to 7.3.1

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: It has been discovered, that calling a PHP script which is delivered with TYPO3 for testing purposes, discloses the absolute server path to the TYPO3 installation.

Solution: Update to TYPO3 versions 6.2.15 or 7.4.0 that fix the problem described.

Credits: Thanks to Heiko Kromm who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 1, 2015

Vulnerable subcomponent: Backend

Vulnerability Type: Information Disclosure

Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: It has been discovered, that editors with access to the file list module could list all files and folders in the root directory of a TYPO3 installation. Modification of files or listing further nested directories was not possible.

Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.

Credits: Thanks to Helmut Hummel who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.