Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN598 _____________________________________________________________________ DATE : 10/09/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running TYPO3-CORE versions prior to 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS. ===================================================================== https://typo3.org/security/advisory/typo3-core-sa-2025-017 https://typo3.org/security/advisory/typo3-core-sa-2025-018 https://typo3.org/security/advisory/typo3-core-sa-2025-019 https://typo3.org/security/advisory/typo3-core-sa-2025-020 https://typo3.org/security/advisory/typo3-core-sa-2025-021 https://typo3.org/security/advisory/typo3-core-sa-2025-022 https://typo3.org/security/advisory/typo3-core-sa-2025-023 _____________________________________________________________________ Tue. 9th September, 2025 TYPO3-CORE-SA-2025-017: Open Redirect in TYPO3 CMS Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to open redirect. Component Type: TYPO3 CMS Subcomponent: Core Utilities (ext:core) Release Date: September 9, 2025 Vulnerability Type: Open Redirect Affected Versions: 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N References: CVE-2025-59013, CWE-601 Problem Description Applications that use TYPO3\CMS\Core\Utility\GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. Solution Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described. Credits Thanks to TYPO3 core & security team member Oliver Hader for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th September, 2025 TYPO3-CORE-SA-2025-018: Denial of Service in TYPO3 Bookmark Toolbar Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to denial of service. Component Type: TYPO3 CMS Subcomponent: Bookmark Toolbar (ext:backend) Release Date: September 9, 2025 Vulnerability Type: Denial of Service Affected Versions: 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N References: CVE-2025-59014, CWE-248 Problem Description Due to insufficient input validation, manipulated data saved in the bookmark toolbar of the backend user interface causes a general error state, blocking further access to the interface. Exploiting this vulnerability requires an administrator-level backend user account. Solution Update to TYPO3 versions 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described. Credits Thanks to Jakub Świes for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th September, 2025 TYPO3-CORE-SA-2025-019: Insufficient Entropy in Password Generation Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to insufficient entropy. Component Type: TYPO3 CMS Subcomponent: Crypto (ext:core) Release Date: September 9, 2025 Vulnerability Type: Insufficient Entropy Affected Versions: 12.0.0-12.4.36, 13.0.0-13.4.17 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N References: CVE-2025-59015, CWE-331 Problem Description By default, the Password Generation component creates a password that always begins with a deterministic three‑character prefix (lower‑case, upper‑case, digit). Consequently, the effective entropy of the generated passwords is lower than expected. Invocations that employ the random password rules are unaffected. Solution Update to TYPO3 versions 12.4.37 LTS, 13.4.18 LTS that fix the problem described. Credits Thanks to Mathias Brodala for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th September, 2025 TYPO3-CORE-SA-2025-020: Information Disclosure via File Abstraction Layer Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to information disclosure. Component Type: TYPO3 CMS Subcomponent: File Abstraction Layer (ext:core) Release Date: September 9, 2025 Vulnerability Type: Information Disclosure Affected Versions: 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N References: CVE-2025-59016, CWE-209 Problem Description When specific low‑level file‑system operations fail during execution through the File Abstraction Layer, the full path of the affected resource is disclosed. Exploiting this vulnerability requires a valid backend user account. Solution Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described. Credits Thanks to Dmitry Petschke and Marc Willmann for reporting this issue, and to TYPO3 core team member Andreas Kienast for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th September, 2025 TYPO3-CORE-SA-2025-021: Broken Access Control in Backend AJAX Routes Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: Backend Routing (ext:backend) Release Date: September 9, 2025 Vulnerability Type: Broken Access Control Affected Versions:9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N References: CVE-2025-59017, CWE-862 Problem Description Dedicated AJAX routes used by TYPO3 backend modules were not protected by the same permission checks that guard the modules themselves. As a result, an authenticated backend user could directly call these routes - even if the user had no permissions to the corresponding module. This allowed users to read, modify, or delete data directly - effectively bypassing module‑level restrictions. Solution Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described. The AJAX route property inheritAccessFromModule is introduced. When this property is set, a route is explicitly bound to the permissions of a specified backend module. In general, developers are advised to always verify authorization on target resources (pages, database tables, files, etc.) within the corresponding AJAX handler or controller. More details are available at https://docs.typo3.org/permalink/t3coreapi:be-user-check. Credits Thanks to TYPO3 security team member Elias Häußler for reporting and fixing this issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th September, 2025 TYPO3-CORE-SA-2025-022: Information Disclosure in Workspaces Module Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to information disclosure. Component Type: TYPO3 CMS Subcomponent: Workspaces Module (ext:workspaces) Release Date: September 9, 2025 Vulnerability Type: Information Disclosure Affected Versions: 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17 Severity: High Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N References: CVE-2025-59018, CWE-200 Problem Description In addition to the vulnerability documented in TYPO3‑CORE‑SA‑2025‑021 (CVE‑2025‑59017), any authenticated backend user could invoke a backend AJAX route belonging to the workspaces module. The route allowed the caller to request arbitrary data from the database, without performing a permission check on the target table. Consequently, a backend user without rights to a particular database table could retrieve sensitive records, leading to information disclosure. Solution Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described. Credits Thanks to TYPO3 core & security team member Oliver Hader for reporting and fixing this issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th September, 2025 TYPO3-CORE-SA-2025-023: Information Disclosure via CSV Download Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to information disclosure. Component Type: TYPO3 CMS Subcomponent: List Module (ext:backend, ext:recordlist) Release Date: September 9, 2025 Vulnerability Type: Information Disclosure Affected Versions: 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N References: CVE-2025-59019, CWE-200 Problem Description The CSV download feature in the backend user interface allowed callers to request arbitrary data from the database without performing a permission check on the target table. Consequently, a backend user without rights to a particular database table could retrieve records, leading to information disclosure. This vulnerability was limited to database records that fell within the page tree the user was already permitted to access. Solution Update to TYPO3 versions 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described. Credits Thanks to TYPO3 core & security team member Oliver Hader for reporting the issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================