Marcus Krause

**Name of the Vulnerable Software and Affected Versions** TYPO3 T3BLOG extension versions 0.6.2 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For versions 0.6.2 and earlier, update to a version later than 0.6.2 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: TYPO3 dr wiki extension versions 1.7.1 and earlier Description: A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. Recommendations: For versions 1.7.1 and earlier, update to a version later than 1.7.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 4.0.0 through 4.0.9 TYPO3 versions 4.1.0 through 4.1.7 TYPO3 versions 4.2.0 through 4.2.3 **Description** The issue concerns a session fixation vulnerability in the authentication library. This vulnerability allows remote attackers to hijack web sessions via unspecified vectors related to frontend and backend authentication. The vulnerability may lead to a breach of confidentiality, integrity, and availability of protected information and can be exploited remotely. **Recommendations** For versions 4.0.0 through 4.0.9, update to a version outside of this range to mitigate the risk. For versions 4.1.0 through 4.1.7, update to a version outside of this range to mitigate the risk. For versions 4.2.0 through 4.2.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the authentication library until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TYPO3 version 4.2.2 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** For version 4.2.2, update to a newer version to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 4.0.x through 4.0.8 TYPO3 versions 4.1.x through 4.1.6 TYPO3 versions 4.2.x through 4.2.0 **Description** The issue allows remote attackers to bypass security restrictions and upload configuration files, such as .htaccess, or conduct file upload attacks using multiple extensions, due to an insufficiently restrictive default fileDenyPattern for Apache. **Recommendations** For versions 4.0.x through 4.0.8, update to version 4.0.9 or later. For versions 4.1.x through 4.1.6, update to version 4.1.7 or later. For versions 4.2.x through 4.2.0, update to version 4.2.1 or later.

Name of the Vulnerable Software and Affected Versions: air filemanager extension for TYPO3 versions 0.6.0 and earlier Description: The issue is related to insufficient file filtering, allowing remote attackers to execute arbitrary PHP code. Recommendations: For air filemanager extension for TYPO3 versions 0.6.0 and earlier, update to a version later than 0.6.0 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: air filemanager versions 0.6.0 and earlier Description: The issue is related to a cross-site scripting (XSS) vulnerability, which allows remote attackers to inject arbitrary web script or HTML. This can be achieved via unspecified vectors, potentially leading to unauthorized access or control over user sessions. Recommendations: For air filemanager versions 0.6.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TYPO3 powermail extension versions prior to 1.1.10 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 1.1.10, update to version 1.1.10 or later to resolve the issue.