Direkt zum Inhalt springen

01.07.2015 | Brain Appeal

Security fixes for TYPO3 CMS 6.2 LTS and 7.3

6 security bulletins have just been released by the TYPO3 Security Team. This means that TYPO3 versions 6.2.0 to 6.2.13 as well as TYPO3 7.0.0 to 7.3.0 are to be classified as insecure. Vulnerabilities in the core allow the following attack scenarios: Cross-Site Scripting, Brute Force Protection Bypass, Information Disclosure, Session Fixation and Access Bypass.

We recommend automated monitoring of TYPO3 instances with the TYPO3 Monitor. This tool has been in use at Brain Appeal for over 5 years and is currently being extended so that everyone can use it. Free accounts are available on request!

Links to the security bulletins:

Access bypass when editing file metadata

Frontend login session fixation

Cross-Site Scripting exploitable by Editors

Information Disclosure possibility exploitable by Editors

Brute Force Protection Bypass in backend login

Cross-site scripting in 3rd party library Flowplayer


UPDATE 06.07.2015: 

Also for TYPO3 CMS 4.5 a patch is available to fix the vulnerabilities since 01.07.2015 (TYPO3 4.5.41). However, this patch is only offered as part of the Extended Long Term Support (ELTS) and is subject to a fee.

More information about this:

Announcing TYPO3 CMS 4.5 Extended Long-Term-Support Plans