Security update for TYPO3 versions 8 to 12 - 11/2023
The TYPO3 Security Team released new TYPO3 versions yesterday. These close three security gaps.
TYPO3-CORE-SA-2023-007:
By-passing Cross-Site Scripting Protection in HTML Sanitizer
Affected component: HTML Sanitizer (HTML code cleanup)
Vulnerability type: Cross-site scripting
Severity: medium
Affected TYPO3 versions: 8.7.42-8.7.54, 9.5.29-9.5.43, 10.4.19-10.4.40, 11.3.2-11.5.32, 12.0.0-12.4.7
Details: DOM processing instructions are not processed correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer.
TYPO3-CORE-SA-2023-006:
Weak Authentication in Session Handling
Affected component: TYPO3 CMS (ext:core)
Type of vulnerability: Unintentional release of information
Severity: medium
Affected TYPO3 versions: 8.0.0-8.7.54, 9.0.0-9.5.43, 10.0.0-10.4.40, 11.0.0-11.5.32, 12.0.0-12.4.7
Details: Provided that there are at least two different sites in the same TYPO3 installation - for example first.example.org and second.example.com - a session cookie generated for the first site can be reused on the second site without the need for additional authentication.
TYPO3-CORE-SA-2023-005:
Information Disclosure in Install Tool
Affected component: TYPO3 CMS (ext:install)
Type of vulnerability: Unintentional disclosure of information
Severity: low
Affected TYPO3 versions: 12.2.0-12.4.7
Details: The login screen of the standalone installation tool shows the full path of the transient data directory (e.g. /var/www/html/var/transient/). This only applies to Composer-based scenarios - "classic" non-Composer installations are not affected.
