Richie Lee

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 8.7.57 ELTS TYPO3 versions prior to 9.5.46 ELTS TYPO3 versions prior to 10.4.43 ELTS TYPO3 versions prior to 11.5.35 LTS TYPO3 versions prior to 12.4.11 LTS TYPO3 versions prior to 13.0.1 **Description** The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope, including files, folders, pages, and records, if a valid link-handling configuration was provided. Exploiting this issue requires a valid backend user account. **Recommendations** Update to TYPO3 version 8.7.57 ELTS or later Update to TYPO3 version 9.5.46 ELTS or later Update to TYPO3 version 10.4.43 ELTS or later Update to TYPO3 version 11.5.35 LTS or later Update to TYPO3 version 12.4.11 LTS or later Update to TYPO3 version 13.0.1 or later As a temporary workaround, consider restricting access to the `t3://` URI scheme until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 11.5.0 **Description** A cross-site request forgery issue has been discovered in the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface. This issue can be exploited without the need for the attacker to be authenticated and is not limited to the same site context. In a worst-case scenario, an attacker could create a new admin user account to compromise the system. The attack requires the victim to have an active session in the TYPO3 backend and to access a compromised system. Specific Same-Site cookie settings are required for the attack to be successful, including `SameSite=strict` for attacks from a different domain and `SameSite=lax` or `none` for attacks from a different top-level domain. **Recommendations** Update to TYPO3 version 11.5.0 to address the issue.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 7.6.53 ELTS TYPO3 versions prior to 8.7.42 ELTS TYPO3 versions prior to 9.5.29 TYPO3 versions prior to 10.4.19 TYPO3 versions prior to 11.3.2 **Description** The content rendering process in the website frontend is vulnerable to cross-site scripting due to failing to properly parse, sanitize, and encode malicious rich-text content. Corresponding rendering instructions via TypoScript functionality HTMLparser do not consider all potentially malicious HTML tag and attribute combinations by default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. However, if custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. **Recommendations** Update to TYPO3 version 7.6.53 ELTS to fix the problem described. Update to TYPO3 version 8.7.42 ELTS to fix the problem described. Update to TYPO3 version 9.5.29 to fix the problem described. Update to TYPO3 version 10.4.19 to fix the problem described. Update to TYPO3 version 11.3.2 to fix the problem described. As a temporary workaround, consider restricting access to custom plugins that accept and reflect rich-text content submitted by users until a patch is available. Restrict the use of the `lib.parseFunc` TypoScript path and the `f:format.html` Fluid view-helper instruction to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 9.0.0 through 9.5.28 TYPO3 versions 10.0.0 through 10.4.17 TYPO3 versions 11.0.0 through 11.3.0 **Description** The issue is related to the components ` QueryGenerator ` and ` QueryView ` in the TYPO3 content management system, which are vulnerable to both reflected and persistent cross-site scripting when error messages are not properly encoded. A valid backend user account with administrator privileges is needed to exploit this issue. **Recommendations** For versions 9.0.0 through 9.5.28, update to version 9.5.29. For versions 10.0.0 through 10.4.17, update to version 10.4.18. For versions 11.0.0 through 11.3.0, update to version 11.3.1. As a temporary workaround, consider restricting access to the ` QueryGenerator ` and ` QueryView ` components until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 8.7.40, 9.5.25, 10.4.14, 11.1.1 **Description** The issue arises from improper input validation, allowing attackers to bypass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. This enables attackers to explicitly allow arbitrary mime-types for file uploads. Although the default fileDenyPattern successfully blocks files like .htaccess or malicious.php, attackers can still persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability. **Recommendations** Update to TYPO3 version 8.7.40 to fix the issue. Update to TYPO3 version 9.5.25 to fix the issue. Update to TYPO3 version 10.4.14 to fix the issue. Update to TYPO3 version 11.1.1 to fix the issue.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 10.4.14 TYPO3 versions prior to 11.1.1 **Description** The Form Designer backend module of the Form Framework in TYPO3 is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this issue. **Recommendations** Update to version 10.4.14 to resolve the issue. Update to version 11.1.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 10.4.14 TYPO3 versions prior to 11.1.1 **Description** The issue concerns database fields used as `descriptionColumn` that are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to exploit this issue. **Recommendations** Update to version 10.4.14 to resolve the issue for versions prior to 10.4.14. Update to version 11.1.1 to resolve the issue for versions prior to 11.1.1.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 8.7.40 TYPO3 versions prior to 9.5.25 TYPO3 versions prior to 10.4.14 TYPO3 versions prior to 11.1.1 **Description** The issue arises from the lack of ensuring file extensions belong to configured allowed mime-types, allowing attackers to upload arbitrary data with arbitrary file extensions. However, the default `fileDenyPattern` successfully blocks files like `.htaccess` or `malicious.php`. The `UploadedFileReferenceConverter` handles file uploads for extensions using the Extbase MVC framework and accepts any file mime-type, persisting files in the default location `/fileadmin/user upload/`. This allows attackers to directly reference files or guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this issue. **Recommendations** Update to TYPO3 version 8.7.40 to resolve the issue. Update to TYPO3 version 9.5.25 to resolve the issue. Update to TYPO3 version 10.4.14 to resolve the issue. Update to TYPO3 version 11.1.1 to resolve the issue. For Extbase extensions that rely on the global availability of the `UploadedFileReferenceConverter`, implement a custom `TypeConverter` to handle file uploads or explicitly implement the `ext:form` `UploadedFileReferenceConverter` with appropriate settings for accepted mime-types.