Markus Klein

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 12.4.8 **Description** The login screen of the standalone install tool discloses the full path of the transient data directory. This issue applies to composer-based scenarios only, and "classic" non-composer installations are not affected. **Recommendations** For versions prior to 12.4.8, update to version 12.4.8 to resolve the issue. As there are no known workarounds for this vulnerability, upgrading to the fixed version is the recommended course of action.

**Name of the Vulnerable Software and Affected Versions** TYPO3 direct mail extension versions through 5.2.2 **Description** The issue is related to a missing access check in the backend module of the direct mail extension, which allows a user with restricted permissions to the fe users table to view and export data of frontend users subscribed to a newsletter. **Recommendations** For versions through 5.2.2, consider restricting access to the backend module of the direct mail extension to prevent unauthorized viewing and export of frontend user data until a fix is available.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 6.2.0 through 6.2.2 **Description** The issue concerns the Authentication component, which fails to properly invalidate timed out user sessions. This allows remote attackers to bypass authentication. **Recommendations** For TYPO3 versions 6.2.0 through 6.2.2, update to version 6.2.3 or later to resolve the issue.