======================================================================

                              CERT-Renater

                   Note d'Information No. 2024/VULN243
_____________________________________________________________________

DATE                : 16/05/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running TYPO3 CMS with Frontend
                         Rendering, Form Framework.

=====================================================================
https://typo3.org/security/advisory/typo3-core-sa-2024-009
https://typo3.org/security/advisory/typo3-core-sa-2024-010
https://typo3.org/security/advisory/typo3-core-sa-2024-008
https://typo3.org/security/advisory/typo3-core-sa-2024-007
_____________________________________________________________________

TYPO3-CORE-SA-2024-009: Cross-Site Scripting in ShowImageController
Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is vulnerable to cross-site
scripting.

     Component Type: TYPO3 CMS
     Subcomponent: Frontend Rendering (ext:frontend)
     Release Date: May 14, 2024
     Vulnerability Type: Cross-Site Scripting
     Affected Versions: 9.0.0-9.5.47, 10.0.0-10.4.44, 11.0.0-11.5.36,
                         12.0.0-12.4.14, 13.0.0-13.1.0
     Severity: Medium
     Suggested CVSS: 
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
     References: CVE-2024-34357, CWE-79

Problem Description

Failing to properly encode user-controlled values in file entities,
the ShowImageController (eID tx_cms_showpic) is vulnerable to
cross-site scripting. Exploiting this vulnerability requires a
valid backend user account with access to file entities.


Solution

Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS,
12.4.15 LTS, 13.1.1 that fix the problem described.


Credits

Thanks to TYPO3 security team member Torben Hansen who reported this
issue and to TYPO3 core & security team member Oliver Hader who fixed
the issue.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


General Note

All security-related code changes are tagged so you can easily look
them up in our review system.

_____________________________________________________________________

TYPO3-CORE-SA-2024-010: Uncontrolled Resource Consumption in
ShowImageController
Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is susceptible to denial of
service.

     Component Type: TYPO3 CMS
     Subcomponent: Frontend Rendering (ext:frontend)
     Release Date: May 14, 2024
     Vulnerability Type: Denial of Service
     Affected Versions: 9.0.0-9.5.47, 10.0.0-10.4.44, 11.0.0-11.5.36,
                         12.0.0-12.4.14, 13.0.0-13.1.0
     Severity: Medium
     Suggested CVSS: 
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C
     References: CVE-2024-34358, CWE-347, CWE-400

Problem Description

The ShowImageController (eID tx_cms_showpic) lacks a
cryptographic HMAC-signature on the frame HTTP query parameter
(e.g. /index.php?eID=tx_cms_showpic?file=3&...&frame=12345).

This allows adversaries to instruct the system to produce an
arbitrary number of thumbnail images on the server side.


Solution

Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS,
12.4.15 LTS, 13.1.1 that fix the problem described.

Strong security defaults - Manual actions required

The frame HTTP query parameter is now ignored, since it could not
be used by core APIs.

The new feature flag
security.frontend.allowInsecureFrameOptionInShowImageController –
which is disabled per default – can be used to reactivate
the previous behavior.


Credits

Thanks to TYPO3 security team member Torben Hansen who reported
this issue and to TYPO3 core & security team members Benjamin
Mack and Benjamin Franzke who fixed the issue.


General Advice

Follow the recommendations that are given in the TYPO3 Security
Guide. Please subscribe to the typo3-announce mailing list.


General Note

All security-related code changes are tagged so you can easily look
them up in our review system.

_____________________________________________________________________

TYPO3-CORE-SA-2024-008: Cross-Site Scripting in Form Manager Module
Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is vulnerable to cross-site
scripting.

     Component Type: TYPO3 CMS
     Subcomponent: Form Framework (ext:form)
     Release Date: May 14, 2024
     Vulnerability Type: Cross-Site Scripting
     Affected Versions: 9.0.0-9.5.47, 10.0.0-10.4.44, 11.0.0-11.5.36,
                         12.0.0-12.4.14, 13.0.0-13.1.0
     Severity: Medium
     Suggested CVSS: 
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
     References: CVE-2024-34356, CWE-79

Problem Description

The form manager backend module is vulnerable to cross-site scripting.
Exploiting this vulnerability requires a valid backend user account
with access to the form module.


Solution

Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS,
12.4.15 LTS, 13.1.1 that fix the problem described.


Credits

Thanks to TYPO3 core & security team member Benjamin Franzke who
reported and fixed the issue.


General Advice

Follow the recommendations that are given in the TYPO3 Security
Guide. Please subscribe to the typo3-announce mailing list.


General Note

All security-related code changes are tagged so you can easily look
them up in our review system.

_____________________________________________________________________

TYPO3-CORE-SA-2024-007: HTML Injection in History Module
Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is vulnerable to HTML injection.

     Component Type: TYPO3 CMS
     Subcomponent: History Module (ext:backend)
     Release Date: May 14, 2024
     Vulnerability Type: HTML Injection
     Affected Versions: 13.0.0-13.1.0
     Severity: Low
     Suggested CVSS: 
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C
     References: CVE-2024-34355, CWE-116

Problem Description

The history backend module is vulnerable to HTML injection. Although
Content-Security-Policy headers effectively prevent JavaScript
execution, adversaries can still inject malicious HTML markup.
Exploiting this vulnerability requires a valid backend user account.


Solution

Update to TYPO3 version 13.1.1 that fixes the problem described.


Credits

Thanks to TYPO3 core team member Andreas Kienast who reported this
issue and to TYPO3 core & security team Benjamin Franzke who fixed
the issue.


General Advice

Follow the recommendations that are given in the TYPO3 Security
Guide. Please subscribe to the typo3-announce mailing list.


General Note

All security-related code changes are tagged so you can easily look
them up in our review system.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================