[TYPO3-announce] [Ticket#201905075760000019] Vulnerabilities in multiple third party TYPO3 CMS extensions

TYPO3 Security Team security at typo3.org
Tue May 7 13:33:43 CEST 2019


Dear TYPO3 users,

several vulnerabilities have been found in the following third party TYPO3
extensions:

"Faceted Search" (ke_search)
"Hairu" (hairu)
"ImageOptimizer" (imageoptimizer)
"phpMyAdmin" (phpmyadmin)
"gkh RSS Import" (gkh_rss_import)
"Instagram" (ws_instagram)
"Event Calender" (pits_wd_calender)
"Yet Another Gallery" (yag)
"comsolit Suggest" (comsolit_suggest)

For further information on the issues, please read the related advisories
TYPO3-EXT-SA-2019-005, TYPO3-EXT-SA-2019-006, TYPO3-EXT-SA-2019-007,
TYPO3-EXT-SA-2019-008, TYPO3-EXT-SA-2019-009, TYPO3-EXT-SA-2019-010,
TYPO3-EXT-SA-2019-011, TYPO3-EXT-SA-2019-012, TYPO3-EXT-SA-2019-013
which were published today:

TYPO3-EXT-SA-2019-005: SQL Injection in extension "Faceted Search" (ke_search)
[1]https://typo3.org/security/advisory/typo3-ext-sa-2019-005/

TYPO3-EXT-SA-2019-006: Open Redirect in extension "Hairu" (hairu)
[2]https://typo3.org/security/advisory/typo3-ext-sa-2019-006/

TYPO3-EXT-SA-2019-007: Remote Code Execution in extension "ImageOptimizer"
(imageoptimizer)
[3]https://typo3.org/security/advisory/typo3-ext-sa-2019-007/

TYPO3-EXT-SA-2019-008: Multiple vulnerabilities in extension "phpMyAdmin"
(phpmyadmin)
[4]https://typo3.org/security/advisory/typo3-ext-sa-2019-008/

TYPO3-EXT-SA-2019-009: Cross Site Scripting in extension "gkh RSS Import"
(gkh_rss_import)
[5]https://typo3.org/security/advisory/typo3-ext-sa-2019-009/

TYPO3-EXT-SA-2019-010: Cross Site Scripting in extension "Instagram"
(ws_instagram)
[6]https://typo3.org/security/advisory/typo3-ext-sa-2019-010/

TYPO3-EXT-SA-2019-011: SQL Injection in extension "Event Calender"
(pits_wd_calender)
[7]https://typo3.org/security/advisory/typo3-ext-sa-2019-011/

TYPO3-EXT-SA-2019-012: Arbitrary file Upload in extension "Yet Another
Gallery" (yag)
[8]https://typo3.org/security/advisory/typo3-ext-sa-2019-012/

TYPO3-EXT-SA-2019-013: SQL Injection in extension "comsolit Suggest"
(comsolit_suggest)
[9]https://typo3.org/security/advisory/typo3-ext-sa-2019-013/

In general the TYPO3 Security Team recommends to read the following pages:

The TYPO3 Security Guide:
[10]https://docs.typo3.org/typo3cms/CoreApiReference/Security/Index.html

Make sure you are subscribed to the TYPO3 Announce List:
[11]http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce

See all TYPO3 security advisories:
[12]https://typo3.org/help/security-advisories/

Regards,

Torben Hansen
Member of the TYPO3 Security Team

--
TYPO3 Security Team homepage: [13]https://typo3.org/teams/security/

E-Mail: security at typo3.org

Please note: When replying to this e-mail, please leave the header intact.


[1] https://typo3.org/security/advisory/typo3-ext-sa-2019-005/
[2] https://typo3.org/security/advisory/typo3-ext-sa-2019-006/
[3] https://typo3.org/security/advisory/typo3-ext-sa-2019-007/
[4] https://typo3.org/security/advisory/typo3-ext-sa-2019-008/
[5] https://typo3.org/security/advisory/typo3-ext-sa-2019-009/
[6] https://typo3.org/security/advisory/typo3-ext-sa-2019-010/
[7] https://typo3.org/security/advisory/typo3-ext-sa-2019-011/
[8] https://typo3.org/security/advisory/typo3-ext-sa-2019-012/
[9] https://typo3.org/security/advisory/typo3-ext-sa-2019-013/
[10] https://docs.typo3.org/typo3cms/CoreApiReference/Security/Index.html
[11] http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
[12] https://typo3.org/help/security-advisories/
[13] https://typo3.org/teams/security/


More information about the TYPO3-announce mailing list