====================================================================
CERT-Renater
Note d'Information No. 2021/VULN234
_____________________________________________________________________
DATE : 27/04/2021
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running "2 Clicks for External Media"
for TYPO3 versions prior to 1.3.3,
"Dynamic Content Element" for TYPO3 versions prior to 2.6.2, 2.7.1,
"Yoast SEO for TYPO3" versions prior to 7.2.1,
"Bootstrap Package" for TYPO3 versions prior to 7.1.2,
8.0.8, 9.0.4, 9.1.3, 10.0.10, 11.0.3.
=====================================================================
https://typo3.org/security/advisory/typo3-ext-sa-2021-004
https://typo3.org/security/advisory/typo3-ext-sa-2021-005
https://typo3.org/security/advisory/typo3-ext-sa-2021-006
https://typo3.org/security/advisory/typo3-ext-sa-2021-007
_____________________________________________________________________
Tue. 27th April, 2021
TYPO3-EXT-SA-2021-004: Cross-Site Scripting in extension "2 Clicks for
External Media" (media2click)
Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "2 Clicks for External Media"
(media2click) is susceptible to Cross-Site Scripting.
Release Date: April 27, 2021
Component Type: Third party extension. This extension is not a part
of the TYPO3 default installation.
Component: "2 Clicks for External Media" (media2click)
Vulnerability Type: Cross-Site Scripting
Affected Versions: 1.0.0 - 1.3.2
Severity: Medium
Suggested CVSS:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:F/RL:O/RC:C
References: CVE-2021-31778
Problem Description
The extension fails to properly encode user input for output in HTML
context. A TYPO3 backend user account is required to exploit the
vulnerability.
Solution
An updated version 1.3.3 is available from the TYPO3 extension manager,
Packagist and at
https://extensions.typo3.org/extension/download/media2click/1.3.3/zip
Users of the extension are advised to update the extension as soon as
possible.
Credits
Thanks to Andrey Basarygin, Andrey Guzei, Mikhail Khramenkov, Alexander
Sidukov and Maxim Teplykh from Solar Security for reporting the issue
and to Gregor Hermens for providing an updated version of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
_____________________________________________________________________
Tue. 27th April, 2021
TYPO3-EXT-SA-2021-005: SQL Injection in extension "Dynamic Content
Element" (dce)
Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "Dynamic Content Element"
(dce) is susceptible to SQL Injection.
Release Date: April 27, 2021
Component Type: Third party extension. This extension is not a part
of the TYPO3 default installation.
Component: "Dynamic Content Element" (dce)
Vulnerability Type: SQL Injection
Affected Versions: 2.7.0, 2.2.0 - 2.6.1
Severity: Medium
Suggested CVSS:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
References: CVE-2021-31777
Problem Description
The extension fails to properly sanitize user input and is susceptible
to SQL Injection. A TYPO3 backend user account is required to exploit
the vulnerability.
Solution
Updated versions 2.6.2 and 2.7.1 are available from the TYPO3 extension
manager, Packagist and at
https://extensions.typo3.org/extension/download/dce/2.7.1/zip
https://extensions.typo3.org/extension/download/dce/2.6.2/zip
Users of the extension are advised to update the extension as soon as
possible.
Credits
Thanks to Excellium Services for reporting the issue and to Armin
Vieweg for providing an updated version of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
_____________________________________________________________________
Tue. 27th April, 2021
TYPO3-EXT-SA-2021-006: Server-side request forgery in extension "Yoast
SEO for TYPO3" (yoast_seo)
Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "Yoast SEO for TYPO3"
(yoast_seo) is susceptible to Server-side request forgery (SSRF).
Release Date: April 27, 2021
Component Type: Third party extension. This extension is not a part
of the TYPO3 default installation.
Component: "Yoast SEO for TYPO3" (yoast_seo)
Vulnerability Type: Server-side request forgery
Affected Versions: 7.2.0 and below
Severity: Medium
Suggested CVSS:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:F/RL:O/RC:C
References: CVE-2021-31779
Problem Description
The extension fails to restrict analyzed URLs to domains managed by the
current TYPO3 website. A logged in TYPO3 backend user can use the
vulnerability to make HTTP requests to arbitrary domains including the
webserver itself or other internally managed resources.
Solution
An updated version 7.2.1 is available from the TYPO3 extension manager,
Packagist and at
https://extensions.typo3.org/extension/download/yoast_seo/7.2.1/zip
Users of the extension are advised to update the extension as soon as
possible.
Credits
Thanks to Andrey Basarygin, Andrey Guzei, Mikhail Khramenkov, Alexander
Sidukov and Maxim Teplykh from Solar Security for reporting the issue
and to MaxServ BV for providing an updated version of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
_____________________________________________________________________
Tue. 27th April, 2021
TYPO3-EXT-SA-2021-007: Cross-Site Scripting in extension "Bootstrap
Package" (bootstrap_package)
Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "Bootstrap Package"
(bootstrap_package) is susceptible to Cross-Site Scripting.
Release Date: April 27, 2021
Component Type: Third party extension. This extension is not a part
of the TYPO3 default installation.
Component: "Bootstrap Package" (bootstrap_package)
Vulnerability Type: Cross-Site Scripting
Affected Versions: 11.0.0 - 11.0.2, 10.0.0 - 10.0.9, 9.0.0-9.0.3,
9.1.0-9.1.2, 8.0.0 - 8.0.7, 7.1.1 and below
Severity: Medium
Suggested CVSS:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
References: CVE-2021-21365
Problem Description
The extension fails to properly encode user input for output in HTML
context. The following templates are affected by the vulnerability:
Resources/Private/Partials/ContentElements/Carousel/Item/CallToAction.html
Resources/Private/Partials/ContentElements/Carousel/Item/Header.html
Resources/Private/Partials/ContentElements/Carousel/Item/Text.html
Resources/Private/Partials/ContentElements/Carousel/Item/TextAndImage.html
Resources/Private/Partials/ContentElements/Header/SubHeader.html
Users of the extension, who have overwritten the affected templates must
manually apply required changes as shown below:
Vulnerable:
{userInput}
Not vulnerable:
{userInput}
Solution
Updated versions 7.1.2, 8.0.8, 9.0.4, 9.1.3, 10.0.10, 11.0.3 are
available from the TYPO3 extension manager, Packagist and at
https://extensions.typo3.org/extension/download/bootstrap_package/7.1.2/zip
https://extensions.typo3.org/extension/download/bootstrap_package/8.0.8/zip
https://extensions.typo3.org/extension/download/bootstrap_package/9.0.4/zip
https://extensions.typo3.org/extension/download/bootstrap_package/9.1.3/zip
https://extensions.typo3.org/extension/download/bootstrap_package/10.0.10/zip
https://extensions.typo3.org/extension/download/bootstrap_package/11.0.3/zip
Users of the extension are advised to update the extension as soon as
possible.
Credits
Thanks to TYPO3 Security Team Member Oliver Hader who reported and fixed
the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
=========================================================
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=========================================================