Maxime Verroye

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.3.4 TYPO3 versions 4.4.x prior to 4.4.1 **Description** The issue allows for XSS in the textarea view helper in an extbase extension. **Recommendations** For versions prior to 4.3.4, update to version 4.3.4 or later. For versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.2.13 TYPO3 versions 4.3.x prior to 4.3.4 TYPO3 versions 4.4.x prior to 4.4.1 **Description** The issue allows information disclosure in the mail header of the HTML mailing API. **Recommendations** For versions prior to 4.2.13, update to version 4.2.13 or later. For versions 4.3.x prior to 4.3.4, update to version 4.3.4 or later. For versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.4.1 **Description** The issue allows for XSS in the frontend search box. **Recommendations** For versions prior to 4.4.1, update to version 4.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.3.4 TYPO3 versions 4.4.x prior to 4.4.1 **Description** The issue concerns insecure randomness during the generation of a hash with the "forgot password" function. **Recommendations** For versions prior to 4.3.4, update to version 4.3.4 or later. For versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.1.14 TYPO3 versions 4.2.x prior to 4.2.13 TYPO3 versions 4.3.x prior to 4.3.4 TYPO3 versions 4.4.x prior to 4.4.1 **Description** The issue allows remote attackers to perform a session fixation attack, enabling them to hijack a victim's session. **Recommendations** For versions prior to 4.1.14, update to version 4.1.14 or later. For versions 4.2.x prior to 4.2.13, update to version 4.2.13 or later. For versions 4.3.x prior to 4.3.4, update to version 4.3.4 or later. For versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 4.1.x through 4.1.13 TYPO3 versions 4.2.x through 4.2.12 TYPO3 versions 4.3.x through 4.3.3 TYPO3 versions 4.4.x through 4.4.0 **Description** The issue concerns insecure randomness in the `uniqid` function. **Recommendations** For versions 4.1.x through 4.1.13, update to version 4.1.14 or later. For versions 4.2.x through 4.2.12, update to version 4.2.13 or later. For versions 4.3.x through 4.3.3, update to version 4.3.4 or later. For versions 4.4.x through 4.4.0, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.1.14 TYPO3 versions 4.2.x prior to 4.2.13 TYPO3 versions 4.3.x prior to 4.3.4 TYPO3 versions 4.4.x prior to 4.4.1 **Description** The issue allows Header Injection in the secure download feature jumpurl. **Recommendations** For versions prior to 4.1.14, update to version 4.1.14 or later. For versions 4.2.x prior to 4.2.13, update to version 4.2.13 or later. For versions 4.3.x prior to 4.3.4, update to version 4.3.4 or later. For versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.2.13 TYPO3 versions 4.3.x prior to 4.3.4 TYPO3 versions 4.4.x prior to 4.4.1 **Description** The issue allows for XSS and Open Redirection in the frontend login box. **Recommendations** For versions prior to 4.2.13, update to version 4.2.13 or later. For versions 4.3.x prior to 4.3.4, update to version 4.3.4 or later. For versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 4.1.x through 4.1.13 TYPO3 versions 4.2.x through 4.2.12 TYPO3 versions 4.3.x through 4.3.3 TYPO3 versions 4.4.x through 4.4.0 **Description** The issue allows spam abuse in the native form content element, enabling an attacker to send emails to arbitrary email addresses. **Recommendations** For versions 4.1.x through 4.1.13, update to version 4.1.14 or later. For versions 4.2.x through 4.2.12, update to version 4.2.13 or later. For versions 4.3.x through 4.3.3, update to version 4.3.4 or later. For versions 4.4.x through 4.4.0, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 4.1.x through 4.1.13 TYPO3 versions 4.2.x through 4.2.12 TYPO3 versions 4.3.x through 4.3.3 TYPO3 versions 4.4.x through 4.4.0 **Description** The issue allows SQL Injection on the backend. **Recommendations** For versions 4.1.x through 4.1.13, update to version 4.1.14 or later. For versions 4.2.x through 4.2.12, update to version 4.2.13 or later. For versions 4.3.x through 4.3.3, update to version 4.3.4 or later. For versions 4.4.x through 4.4.0, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 4.1.x through 4.1.13 TYPO3 versions 4.2.x through 4.2.12 TYPO3 versions 4.3.x through 4.3.3 TYPO3 versions 4.4.x through 4.4.0 **Description** The issue is related to an insecure default value of the `fileDenyPattern` variable, which could allow remote attackers to execute arbitrary code on the backend. **Recommendations** For versions 4.1.x through 4.1.13, update to version 4.1.14 or later. For versions 4.2.x through 4.2.12, update to version 4.2.13 or later. For versions 4.3.x through 4.3.3, update to version 4.3.4 or later. For versions 4.4.x through 4.4.0, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.1.14 TYPO3 versions 4.2.x prior to 4.2.13 TYPO3 versions 4.3.x prior to 4.3.4 TYPO3 versions 4.4.x prior to 4.4.1 **Description** The issue allows information disclosure on the backend. **Recommendations** For versions prior to 4.1.14, update to version 4.1.14 or later. For versions 4.2.x prior to 4.2.13, update to version 4.2.13 or later. For versions 4.3.x prior to 4.3.4, update to version 4.3.4 or later. For versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.1.14 TYPO3 versions 4.2.x prior to 4.2.13 TYPO3 versions 4.3.x prior to 4.3.4 TYPO3 versions 4.4.x prior to 4.4.1 **Description** The issue allows for cross-site scripting (XSS) in the Extension Manager. **Recommendations** For versions prior to 4.1.14, update to version 4.1.14 or later. For versions 4.2.x prior to 4.2.13, update to version 4.2.13 or later. For versions 4.3.x prior to 4.3.4, update to version 4.3.4 or later. For versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.1.14 TYPO3 versions 4.2.x prior to 4.2.13 TYPO3 versions 4.3.x prior to 4.3.4 TYPO3 versions 4.4.x prior to 4.4.1 **Description** The issue allows Open Redirection on the backend. **Recommendations** For versions prior to 4.1.14, update to version 4.1.14 or later. For versions 4.2.x prior to 4.2.13, update to version 4.2.13 or later. For versions 4.3.x prior to 4.3.4, update to version 4.3.4 or later. For versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 4.1.14 TYPO3 versions 4.2.x prior to 4.2.13 TYPO3 versions 4.3.x prior to 4.3.4 TYPO3 versions 4.4.x prior to 4.4.1 **Description** The issue allows for cross-site scripting (XSS) attacks on the backend. **Recommendations** For versions prior to 4.1.14, update to version 4.1.14 or later. For versions 4.2.x prior to 4.2.13, update to version 4.2.13 or later. For versions 4.3.x prior to 4.3.4, update to version 4.3.4 or later. For versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

Name of the Vulnerable Software and Affected Versions: TYPO3 CMS versions 4.1.x through 4.1.13 TYPO3 CMS versions 4.2.x through 4.2.12 TYPO3 CMS versions 4.3.x through 4.3.3 TYPO3 CMS versions 4.4.x through 4.4.0 Description: The issue allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager or unspecified parameters to unknown backend forms. Recommendations: For versions 4.1.x through 4.1.13, update to version 4.1.14 or later. For versions 4.2.x through 4.2.12, update to version 4.2.13 or later. For versions 4.3.x through 4.3.3, update to version 4.3.4 or later. For versions 4.4.x through 4.4.0, update to version 4.4.1 or later.