Component Type: TYPO3 Core
Vulnerability Types: Cross-Site Scripting, Remote Code Execution
Overall Severity: Critical
Release Date: July 30, 2013
Vulnerable subcomponent: Third Party Libraries used for audio and video playback
Vulnerability Type: Cross-Site Scripting
Affected Versions: All versions from 4.5.0 up to the development branch of 6.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C (What's that?)
Related CVEs: CVE-2011-3642, CVE-2013-1464
Problem Description: TYPO3 bundles flash files for video and audio playback. Old versions of FlowPlayer and flashmedia are susceptible to Cross-Site Scripting. No authentication is required to exploit this vulnerability.
Solution: Update to the TYPO3 version 4.5.29, 4.7.14, 6.0.8 or 6.1.3 that fix the problem described!
Credits: Credits go to Markus Pieton and Vytautas Paulikas who discovered and reported the issues.
Vulnerable subcomponent: Backend File Upload / File Abstraction Layer
Vulnerability Type: Remote Code Execution by arbitrary file creation
Affected Versions: All versions from 6.0.0 up to the development branch of 6.2
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C (What's that?)
CVE: CVE-2013-4250
Problem Description: The file upload component and the File Abstraction Layer are failing to check for denied file extensions, which allows authenticated editors (even with limited permissions) to upload php files with arbitrary code, which can then be executed in web server's context.
Solution: Update to the TYPO3 version 6.0.8 or 6.1.3 that fix the problem described!
Credits: Credits go to Sebastian Nerz who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.