On March 3rd the TYPO3 security team published six security bulletins regarding extensions. The following extensions were covered: ics_utopia, listfeusers, enter_new_weeaar_googlesitemap, festat, kickstarter, solr. For details, read on …
Information Disclosure in extension “UTOPIA” (ics_utopia)
This extension will not be updated and will receive no security update. Please remove the extension from your installation and all associated files from fileadmin.
Extensionkey: ics_utopia
Severity: medium
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-001/
Cross-Site Scripting in extension “List frontend users” (listfeusers)
An updated version is available via TER. Please update the extension as soon as possible.
Extensionkey: listfeusers
Severity: low
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-002/
Cross-Site Scripting in extension “Google Sitemap” (enter_new_weeaar_googlesitemap)
This extension will not be updated and will receive no security update. Please remove the extension from your installation.
Extensionkey: enter_new_weeaar_googlesitemap
Severity: medium
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-003/
Multiple vulnerabilities in extension “Fe user statistic” (festat)
Old versions of extension contains multiple vulnerabilities. This leads to a severity rating of “high”. Please update as soon as possible to the current version of the TER.
Extensionkey: festat
Severity: High
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-004/
Cross-Site Scripting in extension “Extension Kickstarter” (kickstarter)
In order to exploit this vulnerability a backend user with admin rights must be logged in. Please update to the latest TER version.
Extensionkey: kickstarter
Severity: low
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-005/
Cross-Site Scripting in extension “Apache Solr for TYPO3” (solr)
A cross site scripting vulnerability was discovered in the extension “solr”. Please update to the last available version on TER.
Extensionkey: solr
Severity: low
Link: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-006/
Thanks to all reporters and the TYPO3 security team for taking care of the issues and updates.