Christian Kuhn

**Name of the Vulnerable Software and Affected Versions** News system (news) (affected versions not specified) **Description** The extension fails to properly sanitize user input before using it in a database query. This allows an unauthenticated attacker to perform SQL injection, which is the insertion of malicious SQL code into a query, through a URL parameter on pages utilizing the "Date Menu of news articles" plugin. This issue is exploitable when the "Date Menu of news articles" plugin is active and the TypoScript/Plugin setting `disableOverrideDemand` is not enabled. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. Enable the TypoScript/Plugin setting `disableOverrideDemand` to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 8.7.57 ELTS TYPO3 versions prior to 9.5.46 ELTS TYPO3 versions prior to 10.4.43 ELTS TYPO3 versions prior to 11.5.35 LTS TYPO3 versions prior to 12.4.11 LTS TYPO3 versions prior to 13.0.1 **Description** The issue concerns password hashes being reflected in the editing forms of the TYPO3 backend user interface, allowing attackers to crack the plaintext password using brute force techniques. Exploiting this issue requires a valid backend user account. **Recommendations** Update to TYPO3 version 8.7.57 ELTS or later Update to TYPO3 version 9.5.46 ELTS or later Update to TYPO3 version 10.4.43 ELTS or later Update to TYPO3 version 11.5.35 LTS or later Update to TYPO3 version 12.4.11 LTS or later Update to TYPO3 version 13.0.1 or later