Zum Inhalt springen

TYPO3 security update 13.4.3, 12.4.25

The TYPO3 Security Team has released new TYPO3 versions today. These close eight security gaps.

TYPO3-CORE-SA-2025-001: Information Disclosure via Exception Handling/Logger

Affected component: TYPO3 CMS
Severity: low
Affected TYPO3 versions: 13.4.2

Details: If the set hashing mechanism does not correspond to the hashing mechanism used for the saved InstallTool password, then the password was logged as plain text.

TYPO3-CORE-SA-2025-002: Potential Open Redirect via Parsing Differences

Affected component: TYPO3 CMS
Severity: medium
Affected TYPO3 versions: 9.0.0-9.5.48, 10.0.0-10.4.47, 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2

Details: Previously, external URLs processed by TYPO3\CMS\Core\Http\Uri were only cleaned up but not validated for validity. Missing schema and missing host are now added dynamically and the URL is converted to ASCII before validation, as PHP:filter_var does not recognize domains with UTF-8 characters as valid.

TYPO3-CORE-SA-2025-003: Cross-Site Request Forgery in Log Module

Affected component: TYPO3 CMS
Severity: medium
Affected TYPO3 versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2

Details: This vulnerability requires an active TYPO3 backend session. With a modified HTTP request it is possible to remove log entries via TYPO3 Deep-Link into the log module.

TYPO3-CORE-SA-2025-004: Cross-Site Request Forgery in Backend User Module

Affected component: TYPO3 CMS
Severity: medium
Affected TYPO3 versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2

Details: This vulnerability requires an active TYPO3 backend session. With a modified HTTP request it is possible to reset passwords or remove the active user session via TYPO3 Deep-Link into the backend user module.

TYPO3-CORE-SA-2025-005: Cross-Site Request Forgery in Dashboard Module

Affected component: TYPO3 CMS
Severity: medium
Affected TYPO3 versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2

Details: This vulnerability requires an active TYPO3 backend session. With a modified HTTP request it is possible to modify the DashBoard widget configuration via TYPO3 Deep-Link into the DashBoard module.

TYPO3-CORE-SA-2025-006: Cross-Site Request Forgery in Extension Manager Module

Affected component: TYPO3 CMS
Severity: high
Affected TYPO3 versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2

Details: This vulnerability requires an active TYPO3 backend session. Through a modified HTTP request it is possible to install additional TYPO3 extensions via TYPO3 Deep-Link into the Extension Manager module, which could be misused to inject malicious code.

TYPO3-CORE-SA-2025-007: Cross-Site Request Forgery in Form Framework Module

Affected component: TYPO3 CMS
Severity: medium
Affected TYPO3 versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2

Details: This vulnerability requires an active TYPO3 backend session. With a modified HTTP request it is possible to monipulate and delete form definitions via TYPO3 Deep-Link into the Form Framework module.

TYPO3-CORE-SA-2025-008: Cross-Site Request Forgery in Indexed Search Module

Affected component: TYPO3 CMS
Severity: medium
Affected TYPO3 versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2

Details: This vulnerability requires an active TYPO3 backend session. With a modified HTTP request it is possible to remove entries of this component via TYPO3 Deep-Link into the Indexed Search Module.

Security update for TYPO3

This page contains automatically translated content.