===================================================================                             CERT-Renater

                 Note d'Information No. 2022/VULN207

_____________________________________________________________________

DATE                : 23/06/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running libconnect for TYPO3,
                       Matomo Integration for TYPO3,
                       Embedding schema.org vocabulary for TYPO3,
                       ameos_tarteaucitron for TYPO3.

====================================================================https://typo3.org/security/advisory/typo3-ext-sa-2022-010
https://typo3.org/security/advisory/typo3-ext-sa-2022-011
https://typo3.org/security/advisory/typo3-ext-sa-2022-012
https://typo3.org/security/advisory/typo3-ext-sa-2022-013
_____________________________________________________________________

TYPO3-EXT-SA-2022-010: Cross-Site Scripting in extension "libconnect" 
(libconnect)

Categories: Development, Security Created by Torben Hansen

It has been discovered that the extension "libconnect" (libconnect) is 
susceptible to Cross-Site Scripting.

     Release Date: June 14, 2022
     Component Type: Third party extension. This extension is not a 
          part of the TYPO3 default installation.
     Component: "libconnect" (libconnect)
     Vulnerability Type: Cross-Site Scripting
     Affected Versions: 7.0.5 and below, 8.0.0 - 8.0.2
     Severity: Medium
     Suggested CVSS: 
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
     References: CVE-2022-33157


Problem Description

The extension fails to properly encode user input for output in HTML 
context.


Solution

Updated versions 7.0.8 and 8.1.0 are available from the TYPO3 extension 
manager and at
https://extensions.typo3.org/extension/download/libconnect/7.0.5/zip
https://extensions.typo3.org/extension/download/libconnect/8.1.0/zip
Users of the extension are advised to update the extension as soon as 
possible.


Credits

Thanks to Torsten Witt for providing updated versions of the extension.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. 
Please subscribe to the typo3-announce mailing list.

_____________________________________________________________________

TYPO3-EXT-SA-2022-011: Cross-Site Scripting in extension "Matomo 
Integration" (matomo_integration)

Categories: Development, Security Created by Torben Hansen

It has been discovered that the extension "Matomo Integration" 
(matomo_integration) is susceptible to Cross-Site Scripting.

     Release Date: June 14, 2022
     Component Type: Third party extension. This extension is not 
    a part of the TYPO3 default installation.
     Component:  "Matomo Integration" (matomo_integration)
     Vulnerability Type: Cross-Site Scripting
     Affected Versions: 1.3.1 and below
     Severity: Medium
     Suggested CVSS: 
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
     References: CVE-2022-33156


Problem Description

The extension fails to properly encode user input provided by PSR-14 
Event Listeners for output in HTML context.


Solution

An updated version 1.3.2 is available from the TYPO3 extension manager, 
packagist and at
https://extensions.typo3.org/extension/download/matomo_integration/1.3.2/zip
Users of the extension are advised to update the extension as soon as 
possible.


Credits

Thanks to Chris Müller for reporting the vulnerability and for providing 
an updated version of the extension.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. 
Please subscribe to the typo3-announce mailing list.

_____________________________________________________________________

TYPO3-EXT-SA-2022-012: Cross-Site Scripting in extension "Embedding 
schema.org vocabulary" (schema)

Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "Embedding schema.org 
vocabulary" (schema) is susceptible to Cross-Site Scripting.

     Release Date: June 14, 2022
     Component Type: Third party extension. This extension is not a 
          part of the TYPO3 default installation.
     Component: "Embedding schema.org vocabulary" (schema)
     Vulnerability Type: Cross-Site Scripting
     Affected Versions: 1.13.0 and below, 2.0.0 - 2.5.0
     Severity: Medium
     Suggested CVSS: 
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
     References: CVE-2022-33154


Problem Description

The extension fails to properly encode user input for output in HTML 
context. A TYPO3 backend user account is required to exploit the 
vulnerability.


Solution

Updated versions 1.13.1 and 2.5.1 are available from the TYPO3 extension 
manager, packagist and at
https://extensions.typo3.org/extension/download/schema/1.13.1/zip
https://extensions.typo3.org/extension/download/schema/2.5.1/zip
Users of the extension are advised to update the extension as soon as 
possible.


Credits

Thanks to Chris Müller for reporting the vulnerability and for providing 
updated versions of the extension.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. 
Please subscribe to the typo3-announce mailing list.

_____________________________________________________________________


TYPO3-EXT-SA-2022-013: Cross-Site Scripting in extension "AMEOS - 
TarteAuCitron (GDPR cookie banner and tracking management / French RGPD 
compatible)" (ameos_tarteaucitron)

Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "AMEOS - TarteAuCitron (GDPR 
cookie banner and tracking management / French RGPD compatible)" 
(ameos_tarteaucitron) is susceptible to Cross-Site Scripting.

     Release Date: June 14, 2022
     Component Type: Third party extension. This extension is not 
    a part of the TYPO3 default installation.
     Component: "AMEOS - TarteAuCitron (GDPR cookie banner and tracking 
management / French RGPD compatible)" (ameos_tarteaucitron)
     Vulnerability Type: Cross-Site Scripting
     Affected Versions: 1.2.22 and below
     Severity: Medium
     Suggested CVSS: 
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
     References: CVE-2022-33155


Problem Description

The extension fails to properly encode user input for output in HTML 
context. A TYPO3 backend user account is required to exploit the 
vulnerability.


Solution

An updated version 1.2.23 is available from the TYPO3 extension manager, 
packagist and at 
https://extensions.typo3.org/extension/download/ameos_tarteaucitron/1.2.23/zip
Users of the extension are advised to update the extension as soon as 
possible.


Credits

Thanks to TYPO3 Security Team member Torben Hansen for reporting the 
vulnerability and to Luc Muller for providing an updated version of the 
extension.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. 
Please subscribe to the typo3-announce mailing list.



========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================