Torben Hansen

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 **Description** Backend users can move records to a different page even if they lack the necessary edit permissions on the source page. **Recommendations** Update TYPO3 CMS versions 13.0.0 through 13.4.31 to a version later than 13.4.31. Update TYPO3 CMS versions 14.0.0 through 14.3.3 to a version later than 14.3.3.

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions 11.0.0 through 11.5.50 TYPO3 CMS versions 12.0.0 through 12.4.45 TYPO3 CMS versions 13.0.0 through 13.4.30 TYPO3 CMS versions 14.0.0 through 14.3.2 **Description** Backend users with file download permissions can download files from the fallback storage of the file abstraction layer (FAL) through the Media Module. Because the fallback storage resolves paths relative to the server's document root, this can lead to the exposure of sensitive files, such as log files. **Recommendations** Update TYPO3 CMS versions 11.0.0 through 11.5.50 to a version later than 11.5.50. Update TYPO3 CMS versions 12.0.0 through 12.4.45 to a version later than 12.4.45. Update TYPO3 CMS versions 13.0.0 through 13.4.30 to a version later than 13.4.30. Update TYPO3 CMS versions 14.0.0 through 14.3.2 to a version later than 14.3.2.

**Name of the Vulnerable Software and Affected Versions** Content Element Selector (ceselector) (affected versions not specified) **Description** The extension passes an attacker-controlled cookie directly to the `unserialize()` function without safe processing. A remote, unauthenticated attacker can provide a crafted serialized payload to trigger PHP Object Injection, which allows for Remote Code Execution on the TYPO3 server. This issue occurs when the content element is configured with "Persistent Mode: Static" in the plugin settings. Over 294,700 TYPO3 CMS surfaces were indexed by FOFA in the past year. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** powermail extension versions prior to 7.5.1 powermail extension versions prior to 8.5.1 powermail extension versions prior to 10.9.1 powermail extension versions prior to 12.4.1 **Description** An issue was discovered in the powermail extension for TYPO3, where it fails to validate the `mail` parameter of the `createAction`, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. **Recommendations** For versions prior to 7.5.1, update to version 7.5.1 or later. For versions prior to 8.5.1, update to version 8.5.1 or later. For versions prior to 10.9.1, update to version 10.9.1 or later. For versions prior to 12.4.1, update to version 12.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** events2 extension versions prior to 8.3.8 events2 extension versions 9.x prior to 9.0.6 **Description** An issue in the events2 extension for TYPO3 involves missing access checks in the management plugin, leading to an insecure direct object reference (IDOR) vulnerability. This vulnerability allows unauthenticated users to potentially activate or delete various events. **Recommendations** For events2 extension version prior to 8.3.8, update to version 8.3.8 or later. For events2 extension version 9.x prior to 9.0.6, update to version 9.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 9.0.0 through 9.5.47 ELTS TYPO3 versions 10.0.0 through 10.4.44 ELTS TYPO3 versions 11.0.0 through 11.5.36 LTS TYPO3 versions 12.0.0 through 12.4.14 LTS TYPO3 versions 13.0.0 through 13.0.0 **Description** The issue arises from failing to properly encode user-controlled values in file entities, making the `ShowImageController` (` eID tx cms showpic `) vulnerable to cross-site scripting. Exploiting this requires a valid backend user account with access to file entities. **Recommendations** Update to TYPO3 version 9.5.48 ELTS Update to TYPO3 version 10.4.45 ELTS Update to TYPO3 version 11.5.37 LTS Update to TYPO3 version 12.4.15 LTS Update to TYPO3 version 13.1.1

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 9.5.48 ELTS TYPO3 versions prior to 10.4.45 ELTS TYPO3 versions prior to 11.5.37 LTS TYPO3 versions prior to 12.4.15 LTS TYPO3 versions prior to 13.1.1 **Description** The `ShowImageController` (` eID tx cms showpic `) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter, for example, `/index.php?eID=tx cms showpic?file=3&...&frame=12345`. This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. **Recommendations** Update to TYPO3 version 9.5.48 ELTS or later. Update to TYPO3 version 10.4.45 ELTS or later. Update to TYPO3 version 11.5.37 LTS or later. Update to TYPO3 version 12.4.15 LTS or later. Update to TYPO3 version 13.1.1 or later. As a temporary workaround, consider ignoring the `frame` HTTP query parameter in the `ShowImageController` until a patch is available. The new feature flag `security.frontend.allowInsecureFrameOptionInShowImageController` can be used to reactivate the previous behavior, but it is disabled by default.

**Name of the Vulnerable Software and Affected Versions** ke search extension versions prior to 4.0.3 ke search extension versions 4.1.x through 4.6.x before 4.6.6 ke search extension versions 5.x before 5.0.2 **Description** The issue allows XSS via indexed data. **Recommendations** For ke search extension versions prior to 4.0.3, update to version 4.0.3 or later. For ke search extension versions 4.1.x through 4.6.x, update to version 4.6.6 or later. For ke search extension versions 5.x, update to version 5.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** ipandlanguageredirect extension for TYPO3 versions prior to 5.1.2 **Description** The issue allows SQL Injection. **Recommendations** For versions prior to 5.1.2, update to version 5.1.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** femanager extension versions prior to 5.5.3 femanager extension versions 6.x prior to 6.3.4 femanager extension versions 7.x prior to 7.1.0 **Description** An issue in the femanager extension for TYPO3 is related to missing access checks in the `InvitationController`. This allows an unauthenticated user to set the password of all frontend users. The exploitation of this issue may enable a remote attacker to set an arbitrary password for system users. **Recommendations** For versions prior to 5.5.3, update to version 5.5.3 or later. For versions 6.x prior to 6.3.4, update to version 6.3.4 or later. For versions 7.x prior to 7.1.0, update to version 7.1.0 or later. As a temporary workaround, consider disabling the `InvitationController` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** femanager extension versions prior to 5.5.3 femanager extension versions 6.x prior to 6.3.4 femanager extension versions 7.x prior to 7.1.0 **Description** The issue is related to missing access checks in the `InvitationController` function, allowing an unauthenticated user to delete all frontend users. This can be exploited by a remote attacker to delete arbitrary users. **Recommendations** For femanager extension versions prior to 5.5.3, update to version 5.5.3 or later. For femanager extension versions 6.x prior to 6.3.4, update to version 6.3.4 or later. For femanager extension versions 7.x prior to 7.1.0, update to version 7.1.0 or later. As a temporary workaround, consider disabling the `InvitationController` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** fe change pwd extension versions 2.0.5 and earlier, 3.x versions prior to 3.0.3 **Description** An issue was discovered in the fe change pwd extension for TYPO3, where the extension fails to revoke existing sessions for the current user when the password has been changed. **Recommendations** For fe change pwd extension versions 2.0.5 and earlier, update to version 2.0.5 or later. For fe change pwd extension 3.x versions prior to 3.0.3, update to version 3.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 10.4.33 TYPO3 versions prior to 11.5.20 TYPO3 versions prior to 12.1.1 **Description** The issue concerns the password recovery functionality in TYPO3, an open source PHP based web content management system. When users reset their password, existing sessions for that particular user account were not revoked, affecting both frontend and backend user sessions. **Recommendations** Update to version 10.4.33 to resolve the issue. Update to version 11.5.20 to resolve the issue. Update to version 12.1.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 8.7.49 TYPO3 versions prior to 9.5.38 TYPO3 versions prior to 10.4.33 TYPO3 versions prior to 11.5.20 TYPO3 versions prior to 12.1.1 **Description** The issue concerns Improper Authentication in TYPO3, an open source PHP based web content management system. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account, however, credentials must be known to the adversary. **Recommendations** Update to TYPO3 version 8.7.49 ELTS to fix the issue. Update to TYPO3 version 9.5.38 ELTS to fix the issue. Update to TYPO3 version 10.4.33 to fix the issue. Update to TYPO3 version 11.5.20 to fix the issue. Update to TYPO3 version 12.1.1 to fix the issue.

**Name of the Vulnerable Software and Affected Versions** TYPO3 libconnect extension versions prior to 7.0.8 TYPO3 libconnect extension versions 8.x prior to 8.1.0 **Description** The issue allows for XSS. **Recommendations** For versions prior to 7.0.8, update to version 7.0.8 or later. For versions 8.x prior to 8.1.0, update to version 8.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** oelib extension for TYPO3 versions through 4.1.5 **Description** The issue allows SQL Injection. There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions through 4.1.5, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ameos tarteaucitron extension for TYPO3 versions prior to 1.2.23 **Description** The issue allows for XSS. **Recommendations** For ameos tarteaucitron extension for TYPO3 versions prior to 1.2.23, update to version 1.2.23 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** lux extension versions prior to 17.6.1 lux extension versions 18.x through 24.x before 24.0.2 **Description** A SQL injection issue was discovered in the lux extension for TYPO3. **Recommendations** For versions prior to 17.6.1, update to version 17.6.1 or later. For versions 18.x through 24.x, update to version 24.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** Varnishcache extension versions prior to 2.0.1 for TYPO3 **Description** An issue in the Edge Site Includes (ESI) content element renderer component of the Varnishcache extension for TYPO3 does not include an access check. This allows an unauthenticated user to render various content elements, resulting in insecure direct object reference (IDOR), with the potential of exposing internal content elements. **Recommendations** For versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the ESI content element renderer component to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: aimeos versions prior to 19.10.12 aimeos versions 20.x prior to 20.10.5 Description: The issue allows Cross-site Scripting (XSS) via a backend user account. This can be exploited to execute malicious scripts in the context of the affected application. Recommendations: For versions prior to 19.10.12, update to version 19.10.12 or later. For versions 20.x prior to 20.10.5, update to version 20.10.5 or later.