On tuesday, February 17th, the TYPO3 development team released the maintenance updates of TYPO3 for the versions 6.2 and 7.6. Four security patches and many bugfixes were included. Read on for details … 

Fixed Security Vulnerabilities

Security bulletins were published for the following issues:

SQL Injection in dbal (EXT:dbal)

TYPO3 versions: 6.2.0 – 6.2.17
Link: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-001/

If you are using dbal, you are hit by this severe issue, if you are using dbal with mysql passthrough enabled.

Cross-Site Scripting in link validator component (EXT:linkvalidator)

TYPO3 versions: 6.2.0 – 6.2.17, 7.6.0. – 7.62
Link: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-002/

This enables cross-site-scripting in the backend using the link validator. In order to exploit this issue, the attacker must have a valid backend login and access to content which is scanned by the linkvalidator.

Cross-Site Scripting in content element „form” (legacy)

TYPO3 versions: 6.2.0 – 6.2.17
Link: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-003/

A cross site scripting vulnerability was detected in the content element form. In order to exploit this issue, the attacker must have a valid backend login and access to a form content element.

Cross-Site Scripting in form component (EXT:form)

TYPO3 versions: 6.2.0 – 6.2.17
Link: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-004/

This issue can be explored by any website visitor using a form, provided by the system extension “form”. The extension fails to sanitize the user input properly.

All issues are solved by installing the recent versions. If you are looking the changed lines of code, which were changed, habe a look at the TYPO3 review system. The patches are tagged with “security”.

You are strongly advised to install the new versions. You can download the packages from TYPO3.org.

If you participate in the TYPO3 4.5 ELTS program, you have already received a notice about the updates.

Bugfixes

Besides the four security issues many, many bugfixes hit the TYPO3 core.

Version 6.2.18 received 30 bugfixes. The most current LTS version, version 7, received 159 enhancements and bugfixes since the last release in december.