[TYPO3-announce] [Ticket#201808095760000011] Vulnerabilities in multiple third party TYPO3 CMS extensions
TYPO3 Security Team
security at typo3.org
Thu Aug 9 10:34:41 CEST 2018
Dear TYPO3 users,
several vulnerabilities have been found in the following third party TYPO3
extensions:
"Heise Shariff" (rx_shariff)
"Register to tt_address" (registeraddress)
"Amazon AWS S3 FAL driver (CDN)" (aus_driver_amazon_s3)
"Powermail" (powermail)
"AWS SDK for PHP" (aws_sdk_php)
"Front End User Registration" (sr_feuser_register)
"Amazon Web Services SDK " (aws_sdk)
"Frontend Treeview" (mh_treeview)
"TemplaVoilà! Plus" (templavoilaplus)
For further information on the issues, please read the related advisories
TYPO3-EXT-SA-2018-001, TYPO3-EXT-SA-2018-002, TYPO3-EXT-SA-2018-003,
TYPO3-EXT-SA-2018-004, TYPO3-EXT-SA-2018-005, TYPO3-EXT-SA-2018-006,
TYPO3-EXT-SA-2018-007, TYPO3-EXT-SA-2018-008 and TYPO3-EXT-SA-2018-009
which were published today:
TYPO3-EXT-SA-2018-001: Cross-Site Scripting in extension "Heise Shariff"
(rx_shariff)
[1]https://typo3.org/security/advisory/typo3-ext-sa-2018-001/
TYPO3-EXT-SA-2018-002: Missing Access Check in extension "Register to
tt_address" (registeraddress)
[2]https://typo3.org/security/advisory/typo3-ext-sa-2018-002/
TYPO3-EXT-SA-2018-003: Environment Variable Injection in extension "Amazon AWS
S3 FAL driver (CDN)" (aus_driver_amazon_s3)
[3]https://typo3.org/security/advisory/typo3-ext-sa-2018-003/
TYPO3-EXT-SA-2018-004: Cross-site scripting vulnerability in extension
"Powermail" (powermail)
[4]https://typo3.org/security/advisory/typo3-ext-sa-2018-004/
TYPO3-EXT-SA-2018-005: Environment Variable Injection in extension "AWS SDK
for PHP" (aws_sdk_php)
[5]https://typo3.org/security/advisory/typo3-ext-sa-2018-005/
TYPO3-EXT-SA-2018-006: Captcha bypass in extension "Front End User
Registration" (sr_feuser_register)
[6]https://typo3.org/security/advisory/typo3-ext-sa-2018-006/
TYPO3-EXT-SA-2018-007: Environment Variable Injection in extension "Amazon Web
Services SDK " (aws_sdk)
[7]https://typo3.org/security/advisory/typo3-ext-sa-2018-007/
TYPO3-EXT-SA-2018-008: Cross-Site Scripting in extension "Frontend Treeview"
(mh_treeview)
[8]https://typo3.org/security/advisory/typo3-ext-sa-2018-008/
TYPO3-EXT-SA-2018-009: Information Disclosure in extension "TemplaVoilà! Plus"
(templavoilaplus)
[9]https://typo3.org/security/advisory/typo3-ext-sa-2018-009/
In general the TYPO3 Security Team recommends to read the following pages:
The TYPO3 Security Guide:
[10]https://docs.typo3.org/typo3cms/SecurityGuide/
Make sure you are subscribed to the TYPO3 Announce List:
[11]http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
See all TYPO3 security advisories:
[12]https://typo3.org/help/security-advisories/
Regards,
Torben Hansen
Member of the TYPO3 Security Team
--
TYPO3 Security Team homepage: [13]https://typo3.org/teams/security/
E-Mail: security at typo3.org
Please note: When replying to this e-mail, please leave the header intact.
[1] https://typo3.org/security/advisory/typo3-ext-sa-2018-001/
[2] https://typo3.org/security/advisory/typo3-ext-sa-2018-002/
[3] https://typo3.org/security/advisory/typo3-ext-sa-2018-003/
[4] https://typo3.org/security/advisory/typo3-ext-sa-2018-004/
[5] https://typo3.org/security/advisory/typo3-ext-sa-2018-005/
[6] https://typo3.org/security/advisory/typo3-ext-sa-2018-006/
[7] https://typo3.org/security/advisory/typo3-ext-sa-2018-007/
[8] https://typo3.org/security/advisory/typo3-ext-sa-2018-008/
[9] https://typo3.org/security/advisory/typo3-ext-sa-2018-009/
[10] https://docs.typo3.org/typo3cms/SecurityGuide/
[11] http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
[12] https://typo3.org/help/security-advisories/
[13] https://typo3.org/teams/security/
More information about the TYPO3-announce
mailing list