Garvin Hicking

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS version 14.2.0 **Description** Changing backend users passwords through the user settings module causes the cleartext password to be stored in the `uc` and `user settings` fields of the `be users` database table. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 9.4.0 through 9.5.41 ELTS TYPO3 versions 10.4.0 through 10.4.38 ELTS TYPO3 versions 11.5.0 through 11.5.29 TYPO3 versions 12.4.0 through 12.4.3 **Description** In multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. **Recommendations** Update to TYPO3 version 9.5.42 ELTS to fix the problem. Update to TYPO3 version 10.4.39 ELTS to fix the problem. Update to TYPO3 version 11.5.30 to fix the problem. Update to TYPO3 version 12.4.4 to fix the problem. As a temporary workaround, consider disabling the resolution of sites by the `id` and `L` HTTP query parameters until a patch is available. Note that the new feature flag `security.frontend.allowInsecureSiteResolutionByQueryParameters` can be used to reactivate the previous behavior, but it is disabled per default.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 4.6.x through 4.6.9 Drupal versions 4.7.x through 4.7.3 **Description** A cross-site request forgery issue allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors. **Recommendations** For versions 4.6.x through 4.6.9, update to version 4.6.10 or later. For versions 4.7.x through 4.7.3, update to version 4.7.4 or later.