===================================================================== CERT-Renater Note d'Information No. 2022/VULN208 _____________________________________________________________________ DATE : 23/06/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running TYPO3 CMS versions prior to 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11. ===================================================================== https://typo3.org/security/advisory/typo3-core-sa-2022-001 https://typo3.org/security/advisory/typo3-core-sa-2022-002 https://typo3.org/security/advisory/typo3-core-sa-2022-003 https://typo3.org/security/advisory/typo3-core-sa-2022-004 https://typo3.org/security/advisory/typo3-core-sa-2022-005 _____________________________________________________________________ TYPO3-CORE-SA-2022-001: Information Disclosure via Export Module Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to information disclosure. Component Type: TYPO3 CMS Subcomponent: Export Module (ext:impexp) Release Date: June 14, 2022 Vulnerability Type: Information Disclosure Affected Versions: 7.0.0-7.6.56 ELTS, 8.0.0-8.7.46 ELTS, 9.0.0-9.5.34 ELTS, 10.0.0-10.4.28, 11.0.0-11.5.10 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C References: CVE-2022-31046, CWE-200 Problem Description The export functionality fails to limit the result set to allowed columns of a particular database table. This allows authenticated users to export internal details of database tables to which they already have access. Solution Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. In order to address this issue, access to mentioned export functionality is completely denied for regular backend users. Strong security defaults - Manual actions required The following User TSconfig setting would enable the use of the export functionality for certain users: options.impexp.enableExportForNonAdminUser = 1 Credits Thanks to TYPO3 core merger Lina Wolf who reported this issue and to TYPO3 security team member Torben Hansen who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ TYPO3-CORE-SA-2022-002: Information Disclosure via Exception Handling/Logger Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to information disclosure. Component Type: TYPO3 CMS Subcomponent: Exception Handling/Logger (ext:core) Release Date: June 14, 2022 Vulnerability Type: Information Disclosure Affected Versions: 7.0.0-7.6.56 ELTS, 8.0.0-8.7.46 ELTS, 9.0.0-9.5.34 ELTS, 10.0.0-10.4.28, 11.0.0-11.5.10 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C References: CVE-2022-31047, CWE-532 Problem Description It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace. Solution Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. Credits Thanks to Marco Huber who reported this issue and to TYPO3 security team member Torben Hansen who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ TYPO3-CORE-SA-2022-003: Cross-Site Scripting in Form Framework Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is vulnerable to cross-site scripting. Component Type: TYPO3 CMS Subcomponent: Form Framework (ext:form) Release Date: June 14, 2022 Vulnerability Type: Cross-Site Scripting Affected Versions: 8.0.0-8.7.46 ELTS, 9.0.0-9.5.34 ELTS, 10.0.0-10.4.28, 11.0.0-11.5.10 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C References: CVE-2022-31048, CWE-79 Problem Description It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. Solution Update to TYPO3 versions 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. Credits Thanks to Gabe Troyan who reported and fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ TYPO3-CORE-SA-2022-004: Cross-Site Scripting in Frontend Login Mailer Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is vulnerable to cross-site scripting. Component Type: TYPO3 CMS Subcomponent: Frontend Login Mailer (ext:felogin) Release Date: June 14, 2022 Vulnerability Type: Cross-Site Scripting Affected Versions: 9.0.0-9.5.34 ELTS, 10.0.0-10.4.28, 11.0.0-11.5.10 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C References: CVE-2022-31049, CWE-74, CWE-79 Problem Description User submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. Solution Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. Credits Thanks to Christian Seifert who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: Admin Tool (ext:install) Release Date: June 14, 2022 Vulnerability Type: Broken Access Control Affected Versions: 9.0.0-9.5.34 ELTS, 10.0.0-10.4.28, 11.0.0-11.5.10 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C References: CVE-2022-31050, CWE-613 Problem Description Admin Tool sessions initiated via the TYPO3 backend user interface have not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. Solution Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. Credits Thanks to Kien Hoang who reported this issue and to TYPO3 framework merger Ralf Zimmermann and TYPO3 security team member Oliver Hader who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================