Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN623 _____________________________________________________________________ DATE : 18/09/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running "Form to Database" (form_to_database) for TYPO3 "Base Excel" (base_excel) for TYPO3. ===================================================================== https://lists.typo3.org/pipermail/typo3-announce/2025/000596.html https://typo3.org/security/advisory/typo3-ext-sa-2025-012 https://typo3.org/security/advisory/typo3-ext-sa-2025-013 _____________________________________________________________________ Dear TYPO3 users, several vulnerabilities have been found in the following third party TYPO3 extensions: "Form to Database" (form_to_database) "Base Excel" (base_excel) For further information on the issues, please read the related advisories TYPO3-EXT-SA-2025-012 and TYPO3-EXT-SA-2025-013 which were published today: TYPO3-EXT-SA-2025-012: Cross-Site Scripting in extension "Form to Database" (form_to_database) [1]https://typo3.org/security/advisory/typo3-ext-sa-2025-012 TYPO3-EXT-SA-2025-013: Vulnerability in bundled package in extension "Base Excel" (base_excel) [2]https://typo3.org/security/advisory/typo3-ext-sa-2025-013 In general the TYPO3 Security Team recommends to read the following pages: The TYPO3 Security Guide: [3]https://docs.typo3.org/typo3cms/CoreApiReference/Security/Index.html Make sure you are subscribed to the TYPO3 Announce List: [4]https://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce See all TYPO3 security advisories: [5]https://typo3.org/help/security-advisories Best regards, Torben Hansen Member of the TYPO3 Security Team -- TYPO3 Security Team homepage: [6]https://typo3.org/teams/security/ E-Mail: security at typo3.org Please note: When replying to this e-mail, please leave the header intact. [1] https://typo3.org/security/advisory/typo3-ext-sa-2025-012 [2] https://typo3.org/security/advisory/typo3-ext-sa-2025-013 [3] https://docs.typo3.org/typo3cms/CoreApiReference/Security/Index.html [4] https://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce [5] https://typo3.org/help/security-advisories [6] https://typo3.org/teams/security/ _____________________________________________________________________ Tue. 16th September, 2025 TYPO3-EXT-SA-2025-012: Cross-Site Scripting in extension "Form to Database" (form_to_database) Categories: Development Created by Torben Hansen It has been discovered that the extension "Form to Database" (form_to_database) is susceptible to Cross-Site Scripting. Release Date: September 16, 2025 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: "Form to Database" (form_to_database) Composer Package Name: lavitto/typo3-form-to-database Vulnerability Type: Cross-Site Scripting Affected Versions: 2.2.4 and below, 3.0.0 - 3.2.1, 4.0.0 - 4.2.2, 5.0.0 - 5.0.1 Severity: Low Suggested CVSS v4.0: AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N References: CVE-2025-10316, CWE-79 Problem Description The extension fails to properly encode user input for output in HTML context in TYPO3 backend user interface. Solution Updated versions 2.2.5, 3.2.2, 4.2.3 and 5.0.2 are available from the TYPO3 extension manager, packagist and at https://extensions.typo3.org/extension/download/form_to_database/2.2.5/zip https://extensions.typo3.org/extension/download/form_to_database/3.2.2/zip https://extensions.typo3.org/extension/download/form_to_database/4.2.3/zip https://extensions.typo3.org/extension/download/form_to_database/5.0.2/zip Users of the extension are advised to update the extension as soon as possible. Credits Thanks to Sascha Egerer for reporting the vulnerability and to Liquid Light for providing updated versions of the extension. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. _____________________________________________________________________ Tue. 16th September, 2025 TYPO3-EXT-SA-2025-013: Vulnerability in bundled package in extension "Base Excel" (base_excel) Categories: Development Created by Torben Hansen It has been discovered that the extension "Base Excel" (base_excel) bundles a vulnerable version of “phpoffice/phpspreadsheet“ which is susceptible to Server-Side Request Forgery. Release Date: September 16, 2025 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: "Base Excel" (base_excel) Composer Package Name: jambagecom/base-excel Vulnerability Type: Server-Side Request Forgery Affected Versions: 4.5.0 and below Severity: High Suggested CVSS v4.0: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N References: CVE-2025-54370, CWE-918 Problem Description The TER extension bundles the PHP package “phpoffice/phpspreadsheet”, which is affected by a Server-Side Request Forgery vulnerability. Solution An updated version 5.1.0 is available from the TYPO3 extension manager, packagist and at https://extensions.typo3.org/extension/download/base_excel/5.1.0/zip Users of the extension are advised to update the extension as soon as possible. Credits Thanks to Franz Holzinger for providing an updated version of the extension. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================