Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN030
_____________________________________________________________________

DATE                : 14/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running TYPO3 CMS versions prior to
                       10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 
                                13.4.23 LTS, 14.0.2.

=====================================================================
https://typo3.org/security/advisory/typo3-core-sa-2026-003
https://typo3.org/security/advisory/typo3-core-sa-2026-001
https://typo3.org/security/advisory/typo3-core-sa-2026-002
https://typo3.org/security/advisory/typo3-core-sa-2026-004
_____________________________________________________________________

 Tue. 13th January, 2026
TYPO3-CORE-SA-2026-003: Broken Access Control in Recycler Module
Categories: Development, TYPO3 CMS Created by Oliver Hader

It has been discovered that TYPO3 CMS is susceptible to broken access
control.

    Component Type: TYPO3 CMS
    Subcomponent: Recycler (ext:recycler)
    Release Date: January 13, 2026
    Vulnerability Type: Broken Access Control
    Affected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40,
13.0.0-13.4.22, 14.0.0-14.0.1
    Severity: High
    Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
    References: CVE-2025-59022, CWE-862

Problem Description

Backend users who had access to the recycler module could delete
arbitrary data from any database table defined in the TCA -
regardless of whether they had permission to that particular table.
This allowed attackers to purge and destroy critical site data,
effectively rendering the website unavailable.


Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS,
13.4.23 LTS, 14.0.2 that fix the problem described.


Credits

Thanks to Sven Jürgens and Daniel Windloff for reporting this issue,
and to TYPO3 security team member Elias Häußler for fixing it.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


General Note

All security-related code changes are tagged so you can easily look
them up in our review system.

_____________________________________________________________________

 Tue. 13th January, 2026
TYPO3-CORE-SA-2026-001: Broken Access Control in Edit Document
Controller
Categories: Development, TYPO3 CMS Created by Oliver Hader

It has been discovered that TYPO3 CMS is susceptible to broken
access control.

    Component Type: TYPO3 CMS
    Subcomponent: Edit Document Controller (ext:backend)
    Release Date: January 13, 2026
    Vulnerability Type: Broken Access Control
    Affected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1
    Severity: Medium
    Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
    References: CVE-2025-59020, CWE-863

Problem Description

By exploiting the defVals parameter, attackers could bypass field‑level
access checks during record creation in the TYPO3 backend. This gave
them the ability to insert arbitrary data into prohibited exclude
fields of a database table for which the user already has write
permission for a reduced set of fields.


Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS,
13.4.23 LTS, 14.0.2 that fix the problem described.


Credits

Thanks to Daniel Windloff for reporting this issue, and to TYPO3
core & security team member Benjamin Franzke for fixing it.


General Advice

Follow the recommendations that are given in the TYPO3 Security
Guide. Please subscribe to the typo3-announce mailing list.


General Note

All security-related code changes are tagged so you can easily look
them up in our review system.

_____________________________________________________________________

 Tue. 13th January, 2026
TYPO3-CORE-SA-2026-002: Broken Access Control in Redirects Module
Categories: Development, TYPO3 CMS Created by Oliver Hader

It has been discovered that TYPO3 CMS is susceptible to broken access
control.

    Component Type: TYPO3 CMS
    Subcomponent: Redirects (ext:redirects)
    Release Date: January 13, 2026
    Vulnerability Type: Broken Access Control
    Affected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40,
13.0.0-13.4.22, 14.0.0-14.0.1
    Severity: Medium
    Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
    References: CVE-2025-59021, CWE-862


Problem Description

Backend users with access to the redirects module and write permission
on the sys_redirect table were able to  read, create, and modify any
redirect record - without restriction to the user’s own file‑mounts or
web‑mounts. This allowed attackers to insert or alter redirects
pointing to arbitrary URLs - facilitating phishing or other malicious
redirect attacks.


Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS,
13.4.23 LTS, 14.0.2 that fix the problem described.


Credits

Thanks to Georg Dümmler for reporting this issue, and to TYPO3
security team member Elias Häußler for fixing it.
General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


General Note

All security-related code changes are tagged so you can easily look
them up in our review system.

_____________________________________________________________________

 Tue. 13th January, 2026
TYPO3-CORE-SA-2026-004: Insecure Deserialization via Mailer File Spool
Categories: Development, TYPO3 CMS Created by Oliver Hader

It has been discovered that TYPO3 CMS is vulnerable to insecure
deserialization.

    Component Type: TYPO3 CMS
    Subcomponent: Mailer (ext:core)
    Release Date: January 13, 2026
    Vulnerability Type: Insecure Deserialization
    Affected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40,
13.0.0-13.4.22, 14.0.0-14.0.1
    Severity: Medium
    Suggested CVSS: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
    References: CVE-2026-0859, CWE-502


Problem Description

Local platform users who can write to TYPO3’s mail‑file spool directory
can craft a file that the system will automatically deserialize without
any class restrictions. This flaw allows an attacker to inject and
execute arbitrary PHP code in the public scope of the web server.

The vulnerability is triggered when TYPO3 is configured with
$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';
and a scheduler task or cron job runs the command mailer:spool:send.
The spool‑send operation performs the insecure deserialization that
is at the core of this issue.


Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS,
13.4.23 LTS, 14.0.2 that fix the problem described.


Credits

Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3
security team members Elias Häußler and Oliver Hader for fixing it.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


General Note

All security-related code changes are tagged so you can easily
look them up in our review system.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================