Security fixes for TYPO3 CMS 6.2 LTS and 7.3
6 security bulletins have just been released by the TYPO3 Security Team. This means that TYPO3 versions 6.2.0 to 6.2.13 as well as TYPO3 7.0.0 to 7.3.0 are to be classified as insecure. Vulnerabilities in the core allow the following attack scenarios: Cross-Site Scripting, Brute Force Protection Bypass, Information Disclosure, Session Fixation and Access Bypass.
We recommend automated monitoring of TYPO3 instances with the TYPO3 Monitor. This tool has been in use at Brain Appeal for over 5 years and is currently being extended so that everyone can use it. Free accounts are available on request!
Links to the security bulletins:
Access bypass when editing file metadata
Frontend login session fixation
Cross-Site Scripting exploitable by Editors
Information Disclosure possibility exploitable by Editors
Brute Force Protection Bypass in backend login
Cross-site scripting in 3rd party library Flowplayer
UPDATE 06.07.2015:
Also for TYPO3 CMS 4.5 a patch is available to fix the vulnerabilities since 01.07.2015 (TYPO3 4.5.41). However, this patch is only offered as part of the Extended Long Term Support (ELTS) and is subject to a fee.
More information about this:
