[TYPO3-announce] [Ticket#201811205760000029] Announcing TYPO3 security related information

TYPO3 Security Team security at typo3.org
Tue Nov 20 13:23:27 CET 2018

Dear TYPO3 users,

the TYPO3 Security Team has just released the following security bulletin and 
public service announcement:

1) TYPO3-EXT-SA-2018-010: Cross-Site Scripting in extension "libconnect"

It has been discovered that the extension "libconnect" (libconnect) is 
susceptible to Cross-Site Scripting.

For further information on the issue, please read the related advisory
TYPO3-EXT-SA-2018-010 which was published today:


2) TYPO3-PSA-2018-002: Web Resource Restrictions

It has been discovered that development related information can be retrieved
regular HTTP GET requests on NGINX web server environments missing strict
restriction settings.

For further information on the issue, please read the related Public 
Service Announcement TYPO3-PSA-2018-002 which was published today:


In general the TYPO3 Security Team recommends to read the following pages:

The TYPO3 Security Guide:

Make sure you are subscribed to the TYPO3 Announce List:

See all TYPO3 security advisories:


Torben Hansen
Member of the TYPO3 Security Team

TYPO3 Security Team homepage: [6]https://typo3.org/teams/security/

E-Mail: security at typo3.org

Please note: When replying to this e-mail, please leave the header intact.

[1] https://typo3.org/security/advisory/typo3-ext-sa-2018-010/
[2] https://typo3.org/security/advisory/typo3-psa-2018-002/
[3] https://docs.typo3.org/typo3cms/CoreApiReference/Security/Index.html
[4] http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
[5] https://typo3.org/help/security-advisories/
[6] https://typo3.org/teams/security/

More information about the TYPO3-announce mailing list