Benjamin Franzke

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.50 TYPO3 CMS versions 12.0.0 through 12.4.45 TYPO3 CMS versions 13.0.0 through 13.4.30 TYPO3 CMS versions 14.0.0 through 14.3.2 **Description** Backend users with file write permissions can bypass upload restrictions in the Form Framework by using mixed-case extensions, such as `.FORM.YAML`. This allows the upload of maliciously crafted form definition files that can execute arbitrary SQL statements, enabling attackers to escalate privileges by creating administrative backend user accounts. **Recommendations** Update to version 10.4.57 or later. Update to version 11.5.51 or later. Update to version 12.4.46 or later. Update to version 13.4.31 or later. Update to version 14.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.50 TYPO3 CMS versions 12.0.0 through 12.4.45 TYPO3 CMS versions 13.0.0 through 13.4.30 TYPO3 CMS versions 14.0.0 through 14.3.2 **Description** Applications utilizing the `sanitizeLocalUrl()` function within the `GeneralUtility` class to restrict URLs to local addresses are susceptible to open redirect attacks. This occurs when a URL is used after passing the sanitization checks, allowing attackers to redirect users to external malicious content, which can be leveraged for phishing attacks. **Recommendations** Update to version 10.4.57 or later. Update to version 11.5.51 or later. Update to version 12.4.46 or later. Update to version 13.4.31 or later. Update to version 14.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** typo3/html-sanitizer versions prior to 2.3.2 **Description** Namespace attributes are not encoded correctly during HTML serialization. This flaw allows the cross-site scripting prevention mechanism to be bypassed. Cross-site scripting is a technique where malicious scripts are injected into otherwise benign and trusted websites. **Recommendations** Update to version 2.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 10.0.0 through 10.4.54 TYPO3 versions 11.0.0 through 11.5.48 TYPO3 versions 12.0.0 through 12.4.40 TYPO3 versions 13.0.0 through 13.4.22 TYPO3 versions 14.0.0 through 14.0.1 **Description** An issue exists where manipulation of the `defVals` parameter can bypass field-level access checks during record creation within the TYPO3 backend. Successful exploitation allows attackers to insert arbitrary data into restricted fields of a database table, provided the user already possesses write permissions for a limited set of fields. **Recommendations** TYPO3 versions 10.0.0 through 10.4.54 should be updated. TYPO3 versions 11.0.0 through 11.5.48 should be updated. TYPO3 versions 12.0.0 through 12.4.40 should be updated. TYPO3 versions 13.0.0 through 13.4.22 should be updated. TYPO3 versions 14.0.0 through 14.0.1 should be updated.

Name of the Vulnerable Software and Affected Versions: TYPO3 CMS versions 11.0.0 through 11.5.47 TYPO3 CMS versions 12.0.0 through 12.4.36 TYPO3 CMS versions 13.0.0 through 13.4.17 Description: The CSV download feature lacks proper authorization checks. This allows backend users to disclose information from arbitrary database tables stored within their web mounts, even without having explicit access to those tables. Recommendations: Update TYPO3 CMS to a version beyond 11.5.47. Update TYPO3 CMS to a version beyond 12.4.36. Update TYPO3 CMS to a version beyond 13.4.17.

Name of the Vulnerable Software and Affected Versions: TYPO3 CMS versions 9.0.0 through 9.5.54 TYPO3 CMS versions 10.0.0 through 10.4.53 TYPO3 CMS versions 11.0.0 through 11.5.47 TYPO3 CMS versions 12.0.0 through 12.4.36 TYPO3 CMS versions 13.0.0 through 13.4.17 Description: An open-redirect vulnerability exists in the `GeneralUtility::sanitizeLocalUrl` function. This allows an attacker to redirect users to arbitrary external sites, potentially enabling phishing attacks through a manipulated, sanitized URL. Recommendations: TYPO3 CMS versions 9.0.0 through 9.5.54: At the moment, there is no information about a newer version that contains a fix for this vulnerability. TYPO3 CMS versions 10.0.0 through 10.4.53: At the moment, there is no information about a newer version that contains a fix for this vulnerability. TYPO3 CMS versions 11.0.0 through 11.5.47: At the moment, there is no information about a newer version that contains a fix for this vulnerability. TYPO3 CMS versions 12.0.0 through 12.4.36: At the moment, there is no information about a newer version that contains a fix for this vulnerability. TYPO3 CMS versions 13.0.0 through 13.4.17: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 9.0.0 through 9.5.47 ELTS TYPO3 versions 10.0.0 through 10.4.44 ELTS TYPO3 versions 11.0.0 through 11.5.36 LTS TYPO3 versions 12.0.0 through 12.4.14 LTS TYPO3 versions 13.0.0 through 13.0.0 **Description** The form manager backend module is vulnerable to cross-site scripting. Exploiting this issue requires a valid backend user account with access to the form module. **Recommendations** Update to TYPO3 version 9.5.48 ELTS Update to TYPO3 version 10.4.45 ELTS Update to TYPO3 version 11.5.37 LTS Update to TYPO3 version 12.4.15 LTS Update to TYPO3 version 13.1.1

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 8.7.57 ELTS TYPO3 versions prior to 9.5.46 ELTS TYPO3 versions prior to 10.4.43 ELTS TYPO3 versions prior to 11.5.35 LTS TYPO3 versions prior to 12.4.11 LTS TYPO3 versions prior to 13.0.1 **Description** The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this issue requires an administrator-level backend user account with system maintainer permissions. **Recommendations** Update to TYPO3 version 8.7.57 ELTS or later Update to TYPO3 version 9.5.46 ELTS or later Update to TYPO3 version 10.4.43 ELTS or later Update to TYPO3 version 11.5.35 LTS or later Update to TYPO3 version 12.4.11 LTS or later Update to TYPO3 version 13.0.1 or later

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to the fix of the regression introduced during TYPO3 v11 development **Description** The issue is related to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses this header to generate absolute URLs, but since it is provided by the client, it can be forged. A regression during TYPO3 v11 development led to this vulnerability, as the existing setting `$GLOBALS['TYPO3 CONF VARS']['SYS']['trustedHostsPattern']` was not evaluated anymore. **Recommendations** For versions prior to the fix of the regression introduced during TYPO3 v11 development, ensure the setting `$GLOBALS['TYPO3 CONF VARS']['SYS']['trustedHostsPattern']` is properly evaluated to mitigate the host spoofing issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.