FreeBSD: VID-BAB29816-FF93-11E8-B05B-00E04C1EA73D: typo3 -- multiple vulnerabilities

Description

Typo3 core team reports:

CKEditor 4.11 fixes an XSS vulnerability in the HTML parser reported by maxarr.

The vulnerability stemmed from the fact that it was possible to execute XSS inside

the CKEditor source area after persuading the victim to: (i) switch CKEditor to

source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker,

into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.

Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.

Failing to properly encode user input, online media asset rendering

(*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user

account or write access on the server system (e.g. SFTP) is needed in order to exploit this

vulnerability.

Failing to properly encode user input, notifications shown in modal windows in the TYPO3

backend are vulnerable to cross-site scripting. A valid backend user account is needed in

order to exploit this vulnerability.

Failing to properly encode user input, login status display is vulnerable to cross-site

scripting in the website frontend. A valid user account is needed in order to exploit this

vulnerability - either a backend user or a frontend user having the possibility to modify

their user profile.

Template patterns that are affected are:

###FEUSER_[fieldName]### using system extension felogin

<!--###USERNAME###--> for regular frontend rendering

(pattern can be defined individually using TypoScript setting

config.USERNAME_substToken)

It has been discovered that cookies created in the Install Tool are not hardened to be

submitted only via HTTP. In combination with other vulnerabilities such as cross-site

scripting it can lead to hijacking an active and valid session in the Install Tool.

The Install Tool exposes the current TYPO3 version number to non-authenticated users.

Online Media Asset Handling (*.youtube and *.vimeo files) in the TYPO3 backend is vulnerable

to denial of service. Putting large files with according file extensions results in high

consumption of system resources. This can lead to exceeding limits of the current PHP process

which results in a dysfunctional backend component. A valid backend user account or write

access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.

TYPO3’s built-in record registration functionality (aka “basic shopping cart”) using recs

URL parameters is vulnerable to denial of service. Failing to properly ensure that anonymous

user sessions are valid, attackers can use this vulnerability in order to create an arbitrary

amount of individual session-data records in the database.