[TYPO3-announce] Vulnerabilities in multiple third party TYPO3 CMS extensions

Nicole Cordes nicole.cordes at typo3.org
Tue Dec 19 15:14:53 CET 2017 

Dear TYPO3 users,

 

several vulnerabilities have been found in the following third party TYPO3
extensions:

 

"Smallads" (ke_smallads)

"Download Center" (pits_downloadcenter)

"Frontend User Registration" (sf_register)

"DRC News Comment" (news_comment)

"JobControl" (dmmjobcontrol)

"Caretaker" (caretaker)

 

For further information on the issues, please read the related advisories

TYPO3-EXT-SA-2017-015, TYPO3-EXT-SA-2017-016, TYPO3-EXT-SA-2017-017,
TYPO3-EXT-SA-2017-018, TYPO3-EXT-SA-2017-019 and TYPO3-EXT-SA-2017-020 which
were published today:

 

TYPO3-EXT-SA-2017-015: Cross Site-Scripting in extension "Smallads"
(ke_smallads)

https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-e
xt-sa-2017-015/

 

TYPO3-EXT-SA-2017-016: SQL Injection in extension "Download Center"
(pits_downloadcenter)

https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-e
xt-sa-2017-016/

 

TYPO3-EXT-SA-2017-017: Authentication Bypass in extension "Frontend User
Registration" (sf_register)

https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-e
xt-sa-2017-017/

 

TYPO3-EXT-SA-2017-018: Multiple vulnerabilities in extension "DRC News
Comment" (news_comment)

https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-e
xt-sa-2017-018/

 

TYPO3-EXT-SA-2017-019: Multiple vulnerabilities in extension "JobControl"
(dmmjobcontrol)

https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-e
xt-sa-2017-019/

 

TYPO3-EXT-SA-2017-020: Cross Site-Scripting in extension "Caretaker"
(caretaker)

https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-e
xt-sa-2017-020/

 

In general the TYPO3 Security Team recommends to read the following pages:

 

The TYPO3 Security Guide:

 <https://docs.typo3.org/typo3cms/SecurityGuide/>
https://docs.typo3.org/typo3cms/SecurityGuide/

 

Make sure you are subscribed to the TYPO3 Announce List:

 <http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce>
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce

 

See all TYPO3 security advisories:

 <https://typo3.org/teams/security/security-bulletins/>
https://typo3.org/teams/security/security-bulletins/

 

 

Regards,

 

Nicole Cordes

Member of the TYPO3 Security Team

 

--

TYPO3 Security Team homepage:  <https://typo3.org/teams/security/>
https://typo3.org/teams/security/

 

E-Mail: security at typo3.org

More information about the TYPO3-announce mailing list