TYPO3 Extension Security Bulletins 01 – 2016

On March 3rd the TYPO3 security team published six security bulletins regarding extensions. The following extensions were covered: ics_utopia, listfeusers, enter_new_weeaar_googlesitemap, festat, kickstarter, solr. For details, read on …

Information Disclosure in extension “UTOPIA” (ics_utopia)

This extension will not be updated and will receive no security update. Please remove the extension from your installation and all associated files from fileadmin.

Extensionkey: ics_utopia
Severity: medium
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-001/

Cross-Site Scripting in extension “List frontend users” (listfeusers)

An updated version is available via TER. Please update the extension as soon as possible.

Extensionkey: listfeusers
Severity: low
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-002/

Cross-Site Scripting in extension “Google Sitemap” (enter_new_weeaar_googlesitemap)

This extension will not be updated and will receive no security update. Please remove the extension from your installation.

Extensionkey: enter_new_weeaar_googlesitemap
Severity: medium
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-003/

Multiple vulnerabilities in extension “Fe user statistic” (festat)

Old versions of extension contains multiple vulnerabilities. This leads to a severity rating of “high”. Please update as soon as possible to the current version of the TER.

Extensionkey: festat
Severity: High
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-004/

Cross-Site Scripting in extension “Extension Kickstarter” (kickstarter)

In order to exploit this vulnerability a backend user with admin rights must be logged in. Please update to the latest TER version.

Extensionkey: kickstarter
Severity: low
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-005/

Cross-Site Scripting in extension “Apache Solr for TYPO3” (solr)

A cross site scripting vulnerability was discovered in the extension “solr”. Please update to the last available version on TER.

Extensionkey: solr
Severity: low
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-006/

Thanks to all reporters and the TYPO3 security team for taking care of the issues and updates.

Leave a Reply