Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN599
_____________________________________________________________________

DATE                : 10/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running extension "TYPO3 Backup Plus"
                       (ns_backup) versions prior to 13.0.3.

=====================================================================
https://typo3.org/security/advisory/typo3-ext-sa-2025-011
_____________________________________________________________________

 Tue. 2nd September, 2025
TYPO3-EXT-SA-2025-011: Command Injection in extension "TYPO3 Backup
Plus" (ns_backup)
Categories: Development Created by Torben Hansen
It has been discovered that the extension "TYPO3 Backup Plus"
(ns_backup) is susceptible to Command Injection.

    Release Date: September 2, 2025
    Component Type: Third party extension. This extension is not a
part of the TYPO3 default installation.
    Component: "TYPO3 Backup Plus" (ns_backup)
    Composer Package Name: nitsan/ns-backup
    Vulnerability Type: Command Injection
    Affected Versions: 13.0.2 and below
    Severity: High
    Suggested CVSS v4.0: AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    References: CVE-2025-9573, CWE-77


Problem Description

The extension fails to sanitize user input resulting in Command
Injection when creating a backup. Exploiting this vulnerability
requires a valid administrator account.


Solution

An updated version 13.0.3 is available from the TYPO3 extension
manager, packagist and at
https://extensions.typo3.org/extension/download/ns_backup/13.0.3/zip

Users of the extension are advised to update the extension as soon as
possible.


Credits

Thanks to the Swiss NCSC Vulnerability Management Team for
reporting the vulnerability and to NITSAN for providing an
updated version of the extension.
General Advice

Follow the recommendations that are given in the TYPO3 Security
Guide. Please subscribe to the typo3-announce mailing list.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================