Oliver Hader

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.51 TYPO3 CMS versions 12.0.0 through 12.4.46 TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 **Description** Backend users with access to the Form Framework can utilize files that do not end with the `.form.yaml` extension as form definitions, as the system fails to deny incorrect file extensions. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, enabling attackers to escalate privileges by creating administrative backend user accounts. **Recommendations** Update to version 10.4.57 or later. Update to version 11.5.52 or later. Update to version 12.4.47 or later. Update to version 13.4.32 or later. Update to version 14.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions 14.0.0 through 14.3.3 **Description** Backend users with write access to the `form definition` database table can directly create, update, or delete form definition records using the DataHandler. This process bypasses the Form Framework's persistence validation and permission checks, enabling the injection of arbitrary form configurations. This can lead to SQL injection and privilege escalation. **Recommendations** Update TYPO3 CMS to a version later than 14.3.3.

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.51 TYPO3 CMS versions 12.0.0 through 12.4.46 TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 **Description** The cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialize PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend, such as the file system or the `sys registry` database table, can inject a crafted serialized payload to trigger PHP Object Injection. This may allow the exploitation of a gadget chain to achieve Remote Code Execution. **Recommendations** Update to version 10.4.57 or later. Update to version 11.5.52 or later. Update to version 12.4.47 or later. Update to version 13.4.32 or later. Update to version 14.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.51 TYPO3 CMS versions 12.0.0 through 12.4.46 TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 **Description** A path allowance check in the `isAllowedAbsPath()` function of `GeneralUtility` uses a plain string prefix comparison that does not require a directory separator boundary. This allows paths that start with the same characters as the project root but are actually different directories (e.g., `/var/www/html-other/secret.yaml` when the root is `/var/www/html`) to be accepted as valid. Administrator users with access to the File Abstraction Layer can exploit this to create new file storage definitions pointing to directories outside the project root. **Recommendations** Update to version 10.4.57 or later. Update to version 11.5.52 or later. Update to version 12.4.47 or later. Update to version 13.4.32 or later. Update to version 14.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.51 TYPO3 CMS versions 12.0.0 through 12.4.46 TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 **Description** Authenticated backend users can retrieve file metadata through various Backend API routes due to insufficient permission checks. This allows users to access metadata for files located outside their authorized file mounts or storages. **Recommendations** Update to version 10.4.57 or later. Update to version 11.5.52 or later. Update to version 12.4.47 or later. Update to version 13.4.32 or later. Update to version 14.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions 13.0.0 through 13.4.30 TYPO3 CMS versions 14.0.0 through 14.3.2 **Description** Editors with permissions to create or modify page content can include HTML markup in page titles. These titles are stored in the search index without sanitization and are subsequently rendered without proper output encoding when displayed in frontend search results via the Indexed Search plugin. This leads to Cross-Site Scripting, a condition where malicious scripts are injected into otherwise trusted websites. **Recommendations** Update TYPO3 CMS versions 13.0.0 through 13.4.30 to a version later than 13.4.30. Update TYPO3 CMS versions 14.0.0 through 14.3.2 to a version later than 14.3.2.

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.50 TYPO3 CMS versions 12.0.0 through 12.4.45 TYPO3 CMS versions 13.0.0 through 13.4.30 TYPO3 CMS versions 14.0.0 through 14.3.2 **Description** Backend users with file write permissions can bypass upload restrictions in the Form Framework by using mixed-case extensions, such as `.FORM.YAML`. This allows the upload of maliciously crafted form definition files that can execute arbitrary SQL statements, enabling attackers to escalate privileges by creating administrative backend user accounts. **Recommendations** Update to version 10.4.57 or later. Update to version 11.5.51 or later. Update to version 12.4.46 or later. Update to version 13.4.31 or later. Update to version 14.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** typo3/html-sanitizer versions prior to 2.3.2 **Description** When the `ALLOW INSECURE RAW TEXT` setting is enabled, the sanitizer fails to recognize closing tags containing whitespace variants, such as `</stylet>`. Because browsers interpret these as valid end tags, subsequent content can escape the sanitization process, enabling a bypass of the cross-site scripting prevention mechanism. **Recommendations** Update to version 2.3.2 or later. As a temporary mitigation, disable the `ALLOW INSECURE RAW TEXT` setting.

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS version 14.2.0 **Description** Changing backend users passwords through the user settings module causes the cleartext password to be stored in the `uc` and `user settings` fields of the `be users` database table. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 10.0.0 through 10.4.54 TYPO3 versions 11.0.0 through 11.5.48 TYPO3 versions 12.0.0 through 12.4.40 TYPO3 versions 13.0.0 through 13.4.22 TYPO3 versions 14.0.0 through 14.0.1 **Description** A flaw exists in TYPO3 that allows local users with write access to the spool directory to execute arbitrary PHP code on the web server. This is possible by crafting a malicious file that is deserialized during the `mailer:spool:send` command. **Recommendations** Update TYPO3 versions to a version later than 10.4.54. Update TYPO3 versions to a version later than 11.5.48. Update TYPO3 versions to a version later than 12.4.40. Update TYPO3 versions to a version later than 13.4.22. Update TYPO3 versions to a version later than 14.0.1.

Name of the Vulnerable Software and Affected Versions: TYPO3 CMS versions 11.0.0 through 11.5.47 TYPO3 CMS versions 12.0.0 through 12.4.36 TYPO3 CMS versions 13.0.0 through 13.4.17 Description: The CSV download feature lacks proper authorization checks. This allows backend users to disclose information from arbitrary database tables stored within their web mounts, even without having explicit access to those tables. Recommendations: Update TYPO3 CMS to a version beyond 11.5.47. Update TYPO3 CMS to a version beyond 12.4.36. Update TYPO3 CMS to a version beyond 13.4.17.

Name of the Vulnerable Software and Affected Versions: TYPO3 CMS versions 9.0.0 through 9.5.54 TYPO3 CMS versions 10.0.0 through 10.4.53 TYPO3 CMS versions 11.0.0 through 11.5.47 TYPO3 CMS versions 12.0.0 through 12.4.36 TYPO3 CMS versions 13.0.0 through 13.4.17 Description: The Workspace Module in TYPO3 CMS is susceptible to missing authorization checks. This allows backend users to directly invoke the corresponding AJAX backend route, potentially disclosing sensitive information without proper access. Recommendations: TYPO3 CMS versions 9.0.0 through 9.5.54: Implement robust authorization checks for the Workspace Module's AJAX backend routes. TYPO3 CMS versions 10.0.0 through 10.4.53: Implement robust authorization checks for the Workspace Module's AJAX backend routes. TYPO3 CMS versions 11.0.0 through 11.5.47: Implement robust authorization checks for the Workspace Module's AJAX backend routes. TYPO3 CMS versions 12.0.0 through 12.4.36: Implement robust authorization checks for the Workspace Module's AJAX backend routes. TYPO3 CMS versions 13.0.0 through 13.4.17: Implement robust authorization checks for the Workspace Module's AJAX backend routes.

Name of the Vulnerable Software and Affected Versions: TYPO3 CMS versions 9.0.0 through 9.5.54 TYPO3 CMS versions 10.0.0 through 10.4.53 TYPO3 CMS versions 11.0.0 through 11.5.47 TYPO3 CMS versions 12.0.0 through 12.4.36 TYPO3 CMS versions 13.0.0 through 13.4.17 Description: An open-redirect vulnerability exists in the `GeneralUtility::sanitizeLocalUrl` function. This allows an attacker to redirect users to arbitrary external sites, potentially enabling phishing attacks through a manipulated, sanitized URL. Recommendations: TYPO3 CMS versions 9.0.0 through 9.5.54: At the moment, there is no information about a newer version that contains a fix for this vulnerability. TYPO3 CMS versions 10.0.0 through 10.4.53: At the moment, there is no information about a newer version that contains a fix for this vulnerability. TYPO3 CMS versions 11.0.0 through 11.5.47: At the moment, there is no information about a newer version that contains a fix for this vulnerability. TYPO3 CMS versions 12.0.0 through 12.4.36: At the moment, there is no information about a newer version that contains a fix for this vulnerability. TYPO3 CMS versions 13.0.0 through 13.4.17: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: TYPO3 CMS versions 12.0.0 through 12.4.36 TYPO3 CMS versions 13.0.0 through 13.4.17 Description: A deterministic three-character prefix in the Password Generation component reduces entropy, potentially enabling attackers to expedite brute-force attacks. Recommendations: Update TYPO3 CMS to a version later than 12.4.36. Update TYPO3 CMS to a version later than 13.4.17.

Name of the Vulnerable Software and Affected Versions: TYPO3 CMS versions 11.0.0 through 11.5.47 TYPO3 CMS versions 12.0.0 through 12.4.36 TYPO3 CMS versions 13.0.0 through 13.4.17 Description: An uncaught exception within the Bookmark Toolbar component allows administrator-level backend users to trigger a denial-of-service condition in the backend user interface. This occurs when saving manipulated data in the bookmark toolbar. Recommendations: Update TYPO3 CMS to a version later than 11.5.47. Update TYPO3 CMS to a version later than 12.4.36. Update TYPO3 CMS to a version later than 13.4.17.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 13.4.3 ELTS **Description** A problem has been discovered where the install tool password is logged as plaintext if the password hashing mechanism used for the password was incorrect. There are no known workarounds for this issue. Users are advised to update to a fixed version. **Recommendations** Update to TYPO3 version 13.4.3 ELTS, which fixes the problem described. As a temporary workaround, consider restricting access to the install tool until the update is applied.

**Name of the Vulnerable Software and Affected Versions** powermail extension versions through 12.3.5 for TYPO3 **Description** An issue was discovered in the powermail extension, resulting in Broken Access Control due to missing or insufficiently implemented access checks in several actions of the OutputController. This allows an unauthenticated attacker to edit, update, delete, or export data of persisted forms when the Powermail Frontend plugins are used. **Recommendations** For versions through 12.3.5, update to version 7.5.0, 8.5.0, 10.9.0, or 12.4.0 to resolve the issue. As a temporary workaround, consider restricting access to the Powermail Frontend plugins until a patch is applied. Avoid using the vulnerable actions in the OutputController until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 8.7.57 ELTS TYPO3 versions prior to 9.5.46 ELTS TYPO3 versions prior to 10.4.43 ELTS TYPO3 versions prior to 11.5.35 LTS TYPO3 versions prior to 12.4.11 LTS TYPO3 versions prior to 13.0.1 **Description** In affected versions of TYPO3, entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this issue requires a valid backend user account. **Recommendations** Update to TYPO3 version 8.7.57 ELTS or later. Update to TYPO3 version 9.5.46 ELTS or later. Update to TYPO3 version 10.4.43 ELTS or later. Update to TYPO3 version 11.5.35 LTS or later. Update to TYPO3 version 12.4.11 LTS or later. Update to TYPO3 version 13.0.1 or later. As a temporary workaround, consider restricting access to the `DataHandler` and limiting the ability to persist entities of the File Abstraction Layer directly. When importing data from secure origins, explicitly enable it in the corresponding `DataHandler` instance by using `$dataHandler->isImporting = true;`.

**Name of the Vulnerable Software and Affected Versions** fp newsletter extension versions prior to 1.1.1 fp newsletter extension version 1.2.0 fp newsletter extension versions 2.x prior to 2.1.2 fp newsletter extension versions 2.2.1 through 2.4.0 fp newsletter extension versions 3.x prior to 3.2.6 **Description** An issue was discovered in the fp newsletter extension for TYPO3, where data about subscribers may be obtained via `createAction` operations. **Recommendations** For fp newsletter extension versions prior to 1.1.1, update to version 1.1.1 or later. For fp newsletter extension version 1.2.0, update to version 2.1.2 or later. For fp newsletter extension versions 2.x prior to 2.1.2, update to version 2.1.2 or later. For fp newsletter extension versions 2.2.1 through 2.4.0, update to version 3.2.6 or later. For fp newsletter extension versions 3.x prior to 3.2.6, update to version 3.2.6 or later. As a temporary workaround, consider restricting access to the `createAction` operations until a patch is available.

**Name of the Vulnerable Software and Affected Versions** fp newsletter extension versions prior to 1.1.1 fp newsletter extension version 1.2.0 fp newsletter extension versions 2.x prior to 2.1.2 fp newsletter extension versions 2.2.1 through 2.4.0 fp newsletter extension versions 3.x prior to 3.2.6 **Description** An issue was discovered in the fp newsletter extension for TYPO3, where attackers can unsubscribe everyone via a series of modified subscription UIDs in `deleteAction` operations. **Recommendations** For fp newsletter extension versions prior to 1.1.1, update to version 1.1.1 or later. For fp newsletter extension version 1.2.0, update to version 2.1.2 or later. For fp newsletter extension versions 2.x prior to 2.1.2, update to version 2.1.2 or later. For fp newsletter extension versions 2.2.1 through 2.4.0, update to version 3.2.6 or later. For fp newsletter extension versions 3.x prior to 3.2.6, update to version 3.2.6 or later. As a temporary workaround, consider restricting access to the `deleteAction` operation until a patch is available.