=================================================================== CERT-Renater Note d'Information No. 2022/VULN461 _____________________________________________________________________ DATE : 14/12/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running TYPO3 versions prior to 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1. ====================================================================https://typo3.org/security/advisory/typo3-core-sa-2022-012 https://typo3.org/security/advisory/typo3-core-sa-2022-013 https://typo3.org/security/advisory/typo3-core-sa-2022-014 https://typo3.org/security/advisory/typo3-core-sa-2022-015 https://typo3.org/security/advisory/typo3-core-sa-2022-016 https://typo3.org/security/advisory/typo3-core-sa-2022-017 _____________________________________________________________________ Tue. 13th December, 2022 TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to denial of service. Component Type: TYPO3 CMS Subcomponent: Page Error Handling (ext:core, ext:frontend) Release Date: December 13, 2022 Vulnerability Type: Denial of Service Affected Versions: 9.0.0-9.5.37, 10.0.0-10.4.32, 11.0.0-11.5.19 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C References: CVE-2022-23500, CWE-405, CWE-674 Problem Description Requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This vulnerability is very similar, but not identical, to the one described in TYPO3-CORE-SA-2021-005 (CVE-2021-21359). Solution Update to TYPO3 versions 9.5.38 ELTS, 10.4.33 or 11.5.20 that fix the problem described above. Credits Thanks to Daniel Schönfeld who reported this issue and to TYPO3 core & security team member Benni Mack who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ Tue. 13th December, 2022 TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to weak authentication. Component Type: TYPO3 CMS Subcomponent: Frontend Login (ext:felogin, ext:frontend) Release Date: December 13, 2022 Vulnerability Type: Weak Authentication Affected Versions: 8.0.0-8.7.48, 9.0.0-9.5.37, 10.0.0-10.4.32, 11.0.0-11.5.19, 12.0.0-12.1.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C References: CVE-2022-23501, CWE-302, CWE-1390 Problem Description Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. Credits Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ Tue. 13th December, 2022 TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to insufficient session expiration. Component Type: TYPO3 CMS Subcomponent: Password Reset (ext:felogin, ext:backend) Release Date: December 13, 2022 Vulnerability Type: Insufficient Session Expiration Affected Versions: 10.0.0-10.4.32, 11.0.0-11.5.19, 12.0.0-12.1.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C References: CVE-2022-23502, CWE-613 Problem Description When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. Solution Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. Credits Thanks to TYPO3 security team member Torben Hansen who reported and fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ Tue. 13th December, 2022 TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is vulnerable to arbitrary code execution. Component Type: TYPO3 CMS Subcomponent: Form Framework (ext:form) Release Date: December 13, 2022 Vulnerability Type: Arbitrary Code Execution Affected Versions: 8.0.0-8.7.48, 9.0.0-9.5.37, 10.0.0-10.4.32, 11.0.0-11.5.19, 12.0.0-12.1.0 Severity: High Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C References: CVE-2022-23503, CWE-94 Problem Description Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item (known as formDefinitionOverrides) and a valid backend user account with access to the form module are needed to exploit this vulnerability. Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. Credits Thanks to Sabine Deeken who reported this issue and to TYPO3 core team member Ralf Zimmermann who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ Tue. 13th December, 2022 TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to sensitive information disclosure. Component Type: TYPO3 CMS Subcomponent: Site Configuration, YAML File Loader (ext:core) Release Date: December 13, 2022 Vulnerability Type: Sensitive Information Disclosure Affected Versions: 9.0.0-9.5.37, 10.0.0-10.4.32, 11.0.0-11.5.19, 12.0.0-12.1.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C References: CVE-2022-23504, CWE-200, CWE-917 Problem Description Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. Solution Update to TYPO3 versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ Tue. 13th December, 2022 TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is vulnerable to cross-site scripting. Component Type: TYPO3 CMS Subcomponent: HTML Sanitizer (based on typo3/html-sanitizer) Release Date: December 13, 2022 Vulnerability Type: Cross-Site Scripting Affected Versions: 8.0.0-8.7.48, 9.0.0-9.5.37, 10.0.0-10.4.32, 11.0.0-11.5.19, 12.0.0-12.1.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C References: CVE-2022-23499, CWE-79 Problem Description Due to a parsing issue in the upstream package masterminds/html5, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. Besides that, the upstream package masterminds/html5 provides HTML raw text elements (script, style, noframes, noembed and iframe) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. Credits Thanks to David Klein who reported this issue, and to TYPO3 core & security team member Oliver Hader who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================