Component Type: Third Party Extension. The extension is not part of the
TYPO3 default installation
Affected Components: dam_downloads
Versions: 1.0.1 and earlier
Vulnerability Type: Path traversal and SQL injection
Severity: High
Problem Description:
A serious problem has been discovered in the file zipit.php that is used
as part of the dam_downloads extension which allows a user to download
arbitrary files from the server.
Also a weakness has been discovered that may be used to execute arbitrary SQL
Solution:
An updated version 1.1.0 is available in the extension repository and at typo3.org/extensions/repository/search/dam_downloads/1.1.0/
Users of the extension dam_downloads are advised to update the extension immideately.
Credits:
Thanks to Marc Bastian Heinrichs who discovered the vulnerability and notified
the security team. Special thanks to Rupert Germann, who is not the extension author, but volunteered to update the extension and did so within a few hours.
This Month in TYPO3: December, 2024 [Issue #20]
Happy New Year to the entire TYPO3 community! As we welcome 2025, let’s take a look back at the key developments in December 2024. This edition covers…