Typo3 core team reports:
CKEditor 4.11 fixes an XSS vulnerability in the HTML parser reported by maxarr.
The vulnerability stemmed from the fact that it was possible to execute XSS inside
the CKEditor source area after persuading the victim to: (i) switch CKEditor to
source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker,
into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.
Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.
Failing to properly encode user input, online media asset rendering
(*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user
account or write access on the server system (e.g. SFTP) is needed in order to exploit this
vulnerability.
Failing to properly encode user input, notifications shown in modal windows in the TYPO3
backend are vulnerable to cross-site scripting. A valid backend user account is needed in
order to exploit this vulnerability.
Failing to properly encode user input, login status display is vulnerable to cross-site
scripting in the website frontend. A valid user account is needed in order to exploit this
vulnerability - either a backend user or a frontend user having the possibility to modify
their user profile.
Template patterns that are affected are:
###FEUSER_[fieldName]### using system extension felogin
<!--###USERNAME###--> for regular frontend rendering
(pattern can be defined individually using TypoScript setting
config.USERNAME_substToken)
It has been discovered that cookies created in the Install Tool are not hardened to be
submitted only via HTTP. In combination with other vulnerabilities such as cross-site
scripting it can lead to hijacking an active and valid session in the Install Tool.
The Install Tool exposes the current TYPO3 version number to non-authenticated users.
Online Media Asset Handling (*.youtube and *.vimeo files) in the TYPO3 backend is vulnerable
to denial of service. Putting large files with according file extensions results in high
consumption of system resources. This can lead to exceeding limits of the current PHP process
which results in a dysfunctional backend component. A valid backend user account or write
access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.
TYPO3’s built-in record registration functionality (aka “basic shopping cart”) using recs
URL parameters is vulnerable to denial of service. Failing to properly ensure that anonymous
user sessions are valid, attackers can use this vulnerability in order to create an arbitrary
amount of individual session-data records in the database.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center