TYPO3 Security Advisory: Multiple Vulnerabilities (XSS, SQLi, RCE, Open Redirect)

Summary of Critical Vulnerabilities Affected Versions 4.1.13 and earlier 4.2.12 and earlier 4.3.3 and earlier 4.4 Vulnerability Types and Descriptions 1. Cross-Site Scripting (XSS) - Backend - Due to improper sanitization of user input, XSS vulnerabilities exist in multiple locations. 2. Open Redirect - Backend - Due to improper sanitization of user input, open redirect vulnerabilities exist in multiple locations. 3. SQL Injection - Backend - User input was not properly escaped during database queries, making certain backend record editing forms vulnerable to SQL injection. This vulnerability can only be exploited by editors with record editing permissions, specifically those records that have special "where" query definitions in TCA, or records using the auto-suggestion feature in versions 4.3 and above. 4. Arbitrary Code Execution - Backend - The default value of the configuration variable was insufficiently secure, allowing backend users to upload executable files such as , which could be executed as PHP under certain web server configurations. The new feature sets the default to: . 5. Information Disclosure - Backend - When a defective backend module extension is installed, an error message may reveal the full path to the website root directory. - Mailing API - The PHP class used in the mailing API includes the exact installation version number in the email headers. 6. T3Lib_div::generateRandomBytes() and Insecure Randomness - This function may generate the same random sequence on initial calls, posing a security risk. 7. Conflict - Frontend - Due to lack of validation of input parameters, native form content elements are vulnerable to spam abuse. Attackers can exploit this form to send emails to arbitrary email addresses. 8. Header Injection - Frontend - Due to improper sanitization of user input, the secure download feature (jumpurl) may be susceptible to header injection/manipulation. 9. Frontend Login - Open Redirect, Cross-Site Scripting - Due to improper sanitization of user input, the frontend login form is vulnerable to open redirect and XSS attacks. 10. Unvalidated Session Management - Install Tool - When calling the Install Tool user, the default session identifier is not validated, making it vulnerable to session fixation attacks. Attackers may hijack a victim’s session. This vulnerability also exists in other paths. Recommended CVSS v2.0 Depending on the specific vulnerability, CVSS v2.0 scores may vary, ranging from low to high severity. Solution Update to TYPO3 versions 4.1.14, 4.2.13, 4.3.4, or 4.4.1 to address the described issues. Acknowledgments The discovery and reporting of multiple vulnerabilities are credited to the , , and several independent security researchers. Specific acknowledgments are detailed in the respective sections. General Recommendations Follow the recommended practices outlined in the . Subscribe to the mailing list to receive relevant updates.

Goal Reached Thanks to every supporter — we hit 100%!

TYPO3 Security Advisory: Multiple Vulnerabilities (XSS, SQLi, RCE, Open Redirect)