Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN010 _____________________________________________________________________ DATE : 17/01/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running TYPO3 versions prior to 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS. ===================================================================== https://typo3.org/security/advisory/typo3-core-sa-2025-010 https://typo3.org/security/advisory/typo3-core-sa-2025-009 https://typo3.org/security/advisory/typo3-core-sa-2025-008 https://typo3.org/security/advisory/typo3-core-sa-2025-007 https://typo3.org/security/advisory/typo3-core-sa-2025-006 https://typo3.org/security/advisory/typo3-core-sa-2025-005 https://typo3.org/security/advisory/typo3-core-sa-2025-004 https://typo3.org/security/advisory/typo3-core-sa-2025-003 https://typo3.org/security/advisory/typo3-core-sa-2025-002 https://typo3.org/security/advisory/typo3-core-sa-2025-001 _____________________________________________________________________ Tue. 14th January, 2025 TYPO3-CORE-SA-2025-010: Cross-Site Request Forgery in DB Check Module Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to cross-site request forgery. Component Type: TYPO3 CMS Subcomponent: DB Check Module (ext:lowlevel) Release Date: January 14, 2025 Vulnerability Type: Cross-Site Request Forgery Affected Versions: 11.0.0-11.5.41 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L References: CVE-2024-55945, CWE-352, CWE-749 Problem Description A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: the user opens a malicious link, such as one sent via email. the user visits a compromised or manipulated website while the following settings are misconfigured: security.backend.enforceReferrer feature is disabled, BE/cookieSameSite configuration is set to lax or none The vulnerability in the affected downstream component “DB Check Module” allows attackers to manipulate data through unauthorized actions. Solution Update to TYPO3 versions 11.5.42 ELTS that fixes the problem described. In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings. Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules. Credits Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 14th January, 2025 TYPO3-CORE-SA-2025-009: Cross-Site Request Forgery in Scheduler Module Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to cross-site request forgery. Component Type: TYPO3 CMS Subcomponent: Scheduler (ext:scheduler) Release Date: January 14, 2025 Vulnerability Type: Cross-Site Request Forgery Affected Versions: 11.0.0-11.5.41 Severity: High Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H References: CVE-2024-55924, CWE-352, CWE-749 Problem Description A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: the user opens a malicious link, such as one sent via email. the user visits a compromised or manipulated website while the following settings are misconfigured: security.backend.enforceReferrer feature is disabled, BE/cookieSameSite configuration is set to lax or none The vulnerability in the affected downstream component “Scheduler Module” allows attackers to trigger pre-defined command classes - which can lead to unauthorized import or export of data in the worst case. Solution Update to TYPO3 versions 11.5.42 ELTS that fixes the problem described. In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings. Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules. Credits Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 14th January, 2025 TYPO3-CORE-SA-2025-008: Cross-Site Request Forgery in Indexed Search Module Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to cross-site request forgery. Component Type: TYPO3 CMS Subcomponent: Indexed Search (ext:indexed_search) Release Date: January 14, 2025 Vulnerability Type: Cross-Site Request Forgery Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N References: CVE-2024-55923, CWE-352, CWE-749 Problem Description A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: the user opens a malicious link, such as one sent via email. the user visits a compromised or manipulated website while the following settings are misconfigured: security.backend.enforceReferrer feature is disabled, BE/cookieSameSite configuration is set to lax or none The vulnerability in the affected downstream component “Indexed Search Module” allows attackers to delete items of the component. Solution Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings. Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules. Credits Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 14th January, 2025 TYPO3-CORE-SA-2025-007: Cross-Site Request Forgery in Form Framework Module Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to cross-site request forgery. Component Type: TYPO3 CMS Subcomponent: Form Framework (ext:form) Release Date: January 14, 2025 Vulnerability Type: Cross-Site Request Forgery Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L References: CVE-2024-55922, CWE-352, CWE-749 Problem Description A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: the user opens a malicious link, such as one sent via email. the user visits a compromised or manipulated website while the following settings are misconfigured: security.backend.enforceReferrer feature is disabled, BE/cookieSameSite configuration is set to lax or none The vulnerability in the affected downstream component “Form Framework Module” allows attackers to manipulate or delete persisted form definitions. Solution Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings. Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules. Credits Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 14th January, 2025 TYPO3-CORE-SA-2025-006: Cross-Site Request Forgery in Extension Manager Module Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to cross-site request forgery. Component Type: TYPO3 CMS Subcomponent: Extension Manager (ext:extensionmanager) Release Date: January 14, 2025 Vulnerability Type: Cross-Site Request Forgery Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2 Severity: High Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H References: CVE-2024-55921, CWE-352, CWE-749 Problem Description A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: the user opens a malicious link, such as one sent via email. the user visits a compromised or manipulated website while the following settings are misconfigured: security.backend.enforceReferrer feature is disabled, BE/cookieSameSite configuration is set to lax or none The vulnerability in the affected downstream component “Extension Manager Module” allows attackers to retrieve and install 3rd party extensions from the TYPO3 Extension Repository - which can lead to remote code execution in the worst case. Solution Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings. Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules. Credits Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 14th January, 2025 TYPO3-CORE-SA-2025-005: Cross-Site Request Forgery in Dashboard Module Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to cross-site request forgery. Component Type: TYPO3 CMS Subcomponent: Dashboard Module (ext:dashboard) Release Date: January 14, 2025 Vulnerability Type: Cross-Site Request Forgery Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N References: CVE-2024-55920, CWE-352, CWE-749 Problem Description A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: the user opens a malicious link, such as one sent via email. the user visits a compromised or manipulated website while the following settings are misconfigured: security.backend.enforceReferrer feature is disabled, BE/cookieSameSite configuration is set to lax or none The vulnerability in the affected downstream component “Dashboard Module” allows attackers to manipulate the victim’s dashboard configuration. Solution Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings. Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules. Credits Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 14th January, 2025 TYPO3-CORE-SA-2025-004: Cross-Site Request Forgery in Backend User Module Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to cross-site request forgery. Component Type: TYPO3 CMS Subcomponent: Backend User Module (ext:beuser) Release Date: January 14, 2025 Vulnerability Type: Cross-Site Request Forgery Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N References: CVE-2024-55894, CWE-352, CWE-749 Problem Description A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: the user opens a malicious link, such as one sent via email. the user visits a compromised or manipulated website while the following settings are misconfigured: security.backend.enforceReferrer feature is disabled, BE/cookieSameSite configuration is set to lax or none The vulnerability in the affected downstream component “Backend User Module” allows attackers to initiate password resets for other backend users or to terminate their user sessions. Solution Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings. Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules. Credits Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 14th January, 2025 TYPO3-CORE-SA-2025-003: Cross-Site Request Forgery in Log Module Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to cross-site request forgery. Component Type: TYPO3 CMS Subcomponent: Log Module (ext:belog) Release Date: January 14, 2025 Vulnerability Type: Cross-Site Request Forgery Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N References: CVE-2024-55893, CWE-352, CWE-749 Problem Description A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: the user opens a malicious link, such as one sent via email. the user visits a compromised or manipulated website while the following settings are misconfigured: security.backend.enforceReferrer feature is disabled, BE/cookieSameSite configuration is set to lax or none The vulnerability in the affected downstream component “Log Module” allows attackers to remove log entries. Solution Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings. Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules. Credits Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 14th January, 2025 TYPO3-CORE-SA-2025-002: Potential Open Redirect via Parsing Differences Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to open redirect. Component Type: TYPO3 CMS Subcomponent: HTTP URI Component (ext:core) Release Date: January 14, 2025 Vulnerability Type: Open Redirect Affected Versions: 9.0.0-9.5.48, 10.0.0-10.4.47, 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N References: CVE-2024-55892, CWE-601 Problem Description Applications that use TYPO3\CMS\Core\Http\Uri to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks. Solution Update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. Credits Thanks to Sam Mush and Christian Eßl who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 14th January, 2025 TYPO3-CORE-SA-2025-001: Information Disclosure via Exception Handling/Logger Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to information disclosure. Component Type: TYPO3 CMS Subcomponent: Install Tool (ext:install) Release Date: January 14, 2025 Vulnerability Type: Information Disclosure Affected Versions: 13.4.2 Severity: Low Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N References: CVE-2024-55891, CWE-532 Problem Description It has been discovered that the Install Tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect. Solution Update to TYPO3 versions 13.4.3 LTS that fixes the problem described. Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================