Problem Description

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.

The vulnerability is only exploitable, when the “E-Mail MFA Provider” is not the default MFA provider and when at least one other MFA provider is available to the user.

Solution

Updated versions 2.0.1 and 1.0.7 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/mfa_email/2.0.1/zip
https://extensions.typo3.org/extension/download/mfa_email/1.0.7/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Jan Holtkötter for reporting the vulnerability and to Ralf Freit for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to verify, if an authenticated user has permissions to access redirects resulting in exposure of redirect records when editing a page.

Solution

Updated versions 4.0.5, 3.1.7 and 2.1.2 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/redirect_tab/4.0.5/zip
https://extensions.typo3.org/extension/download/redirect_tab/3.1.7/zip
https://extensions.typo3.org/extension/download/redirect_tab/2.1.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Guido Schmechel for reporting the vulnerability and for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].

Solution

Updated versions 0.5.2 and 0.4.5 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/mailqueue/0.4.5/zip
https://extensions.typo3.org/extension/download/mailqueue/0.5.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to TYPO3 security team member Elias Häußler for reporting the vulnerability and for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension bundles the PHP package “aws/aws-sdk-php”, which contains a known Broken or Risky Cryptographic Algorithm vulnerability.

Solution

All versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository, because the extension is outdated and unmaintained.

Please uninstall and delete the extension folder from your installation and search on the TYPO3 Extension Repository for alternative extensions.

Credits

Thanks to Michael Schams  for reporting the vulnerability.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension bundles the PHP package “aws/aws-sdk-php”, which contains a known Broken or Risky Cryptographic Algorithm vulnerability.

Solution

Updated versions 11.0.4 and 12.0.2 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/aws_tools/11.0.3/zip
https://extensions.typo3.org/extension/download/aws_tools/12.0.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Michael Schams  for reporting the vulnerability and to Leuchtfeuer Digital Marketing for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension bundles the PHP package “aws/aws-sdk-php”, which contains a known Broken or Risky Cryptographic Algorithm vulnerability.

Solution

An updated version 3.368.0 is available from the TYPO3 extension manager at

https://extensions.typo3.org/extension/download/aws_sdk_php/3.368.0/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Michael Schams  for reporting the vulnerability and for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension extends TYPO3’s FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004. Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension.

More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004.

Solution

Updated versions 0.5.1 and 0.4.3 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/mailqueue/0.4.3/zip
https://extensions.typo3.org/extension/download/mailqueue/0.5.1/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to TYPO3 security team member Elias Häußler for reporting the vulnerability and for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

• Component Type: TYPO3 CMS
• Subcomponent: Mailer (ext:core)
• Release Date: January 13, 2026
• Vulnerability Type: Insecure Deserialization
• Affected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1
• Severity: Medium
• Suggested CVSS: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
• References: CVE-2026-0859, CWE-502

Problem Description

Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.

The vulnerability is triggered when TYPO3 is configured with $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file'; and a scheduler task or cron job runs the command mailer:spool:send. The spool‑send operation performs the insecure deserialization that is at the core of this issue.

Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

Credits

Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Recycler (ext:recycler)
• Release Date: January 13, 2026
• Vulnerability Type: Broken Access Control
• Affected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1
• Severity: High
• Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
• References: CVE-2025-59022, CWE-862

Problem Description

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable.

Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

Credits

Thanks to Sven Jürgens and Daniel Windloff for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Redirects (ext:redirects)
• Release Date: January 13, 2026
• Vulnerability Type: Broken Access Control
• Affected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1
• Severity: Medium
• Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
• References: CVE-2025-59021, CWE-862

Problem Description

Backend users with access to the redirects module and write permission on the sys_redirect table were able to  read, create, and modify any redirect record - without restriction to the user’s own file‑mounts or web‑mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs - facilitating phishing or other malicious redirect attacks.

Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

Credits

Thanks to Georg Dümmler for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Edit Document Controller (ext:backend)
• Release Date: January 13, 2026
• Vulnerability Type: Broken Access Control
• Affected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1
• Severity: Medium
• Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
• References: CVE-2025-59020, CWE-863

Problem Description

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields.

Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

Credits

Thanks to Daniel Windloff for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

Problem Description

The extension bundles the PHP package “onelogin/php-saml”, which is affected by a Authentication Bypass vulnerability via a Signature Validation Bypass vulnerability in “robrichards/xmlseclibs”.

Solution

Updated versions 3.0.8 and 4.0.5 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/md_saml/3.0.8/zip
https://extensions.typo3.org/extension/download/md_saml/4.0.5/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Christoph Daecke  for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension provides a feature to login as a frontend user for authenticated backend users by calling a special URL. The implemented access check can however be bypassed, if the extension setting “module.frontendUser.allowNonAdminUsersToLoginAsFrontendUser” is enabled, resulting in an unauthenticated remote user to login as any frontend user.

Solution

Updated versions 4.3.11, 5.7.4, 6.4.2 and 7.5.5 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/modules/4.3.11/zip 
https://extensions.typo3.org/extension/download/modules/5.7.4/zip 
https://extensions.typo3.org/extension/download/modules/6.4.2/zip 
https://extensions.typo3.org/extension/download/modules/7.5.5/zip 

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Thomas Deuling for reporting the vulnerability and  for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The TER extension bundles the PHP package “phpoffice/phpspreadsheet”, which is affected by a Server-Side Request Forgery vulnerability.

Note: The extension does not bundle the PHP package “phpoffice/phpspreadsheet” anymore. The Excel Export feature does only work, when the extension is installed via composer.

Solution

Updated versions 5.0.4 and 6.1.2 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/frp_form_answers/5.0.4/zip
https://extensions.typo3.org/extension/download/frp_form_answers/6.1.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Mikel Wohlschlegel for reporting the vulnerability and to Jonas Hirschi for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The TER extension bundles the PHP package “phpoffice/phpspreadsheet”, which is affected by a Server-Side Request Forgery vulnerability.

Solution

An updated version 5.1.0 is available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/base_excel/5.1.0/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Franz Holzinger  for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to properly encode user input for output in HTML context in TYPO3 backend user interface.

Solution

Updated versions 2.2.5, 3.2.2, 4.2.3 and 5.0.2 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/form_to_database/2.2.5/zip  
https://extensions.typo3.org/extension/download/form_to_database/3.2.2/zip  
https://extensions.typo3.org/extension/download/form_to_database/4.2.3/zip  
https://extensions.typo3.org/extension/download/form_to_database/5.0.2/zip    

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Sascha Egerer for reporting the vulnerability and to Liquid Light for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

• Component Type: TYPO3 CMS
• Subcomponent: List Module (ext:backend, ext:recordlist)
• Release Date: September 9, 2025
• Vulnerability Type: Information Disclosure
• Affected Versions: 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17
• Severity: Medium
• Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
• References: CVE-2025-59019, CWE-200

Problem Description

The CSV download feature in the backend user interface allowed callers to request arbitrary data from the database without performing a permission check on the target table. Consequently, a backend user without rights to a particular database table could retrieve records, leading to information disclosure. This vulnerability was limited to database records that fell within the page tree the user was already permitted to access.

Solution

Update to TYPO3 versions 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

Credits

Thanks to TYPO3 core & security team member Oliver Hader for reporting the issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Workspaces Module (ext:workspaces)
• Release Date: September 9, 2025
• Vulnerability Type: Information Disclosure
• Affected Versions: 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17
• Severity: High
• Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
• References: CVE-2025-59018, CWE-200

Problem Description

In addition to the vulnerability documented in TYPO3‑CORE‑SA‑2025‑021 (CVE‑2025‑59017), any authenticated backend user could invoke a backend AJAX route belonging to the workspaces module.

The route allowed the caller to request arbitrary data from the database, without performing a permission check on the target table. Consequently, a backend user without rights to a particular database table could retrieve sensitive records, leading to information disclosure.

Solution

Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

Credits

Thanks to TYPO3 core & security team member Oliver Hader for reporting and fixing this issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Backend Routing (ext:backend)
• Release Date: September 9, 2025
• Vulnerability Type: Broken Access Control
• Affected Versions:9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17
• Severity: Medium
• Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
• References: CVE-2025-59017, CWE-862

Problem Description

Dedicated AJAX routes used by TYPO3 backend modules were not protected by the same permission checks that guard the modules themselves. As a result, an authenticated backend user could directly call these routes - even if the user had no permissions to the corresponding module.
This allowed users to read, modify, or delete data directly - effectively bypassing module‑level restrictions.

Solution

Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

The AJAX route property inheritAccessFromModule is introduced. When this property is set, a route is explicitly bound to the permissions of a specified backend module.

In general, developers are advised to always verify authorization on target resources (pages, database tables, files, etc.) within the corresponding AJAX handler or controller. More details are available at https://docs.typo3.org/permalink/t3coreapi:be-user-check.

Credits

Thanks to TYPO3 security team member Elias Häußler for reporting and fixing this issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: File Abstraction Layer (ext:core)
• Release Date: September 9, 2025
• Vulnerability Type: Information Disclosure
• Affected Versions: 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17
• Severity: Medium
• Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
• References: CVE-2025-59016, CWE-209

Problem Description

When specific low‑level file‑system operations fail during execution through the File Abstraction Layer, the full path of the affected resource is disclosed. Exploiting this vulnerability requires a valid backend user account.

Solution

Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

Credits

Thanks to Dmitry Petschke and Marc Willmann for reporting this issue, and to TYPO3 core team member Andreas Kienast for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Crypto (ext:core)
• Release Date: September 9, 2025
• Vulnerability Type: Insufficient Entropy
• Affected Versions: 12.0.0-12.4.36, 13.0.0-13.4.17
• Severity: Medium
• Suggested CVSS: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
• References: CVE-2025-59015, CWE-331

Problem Description

By default, the Password Generation component creates a password that always begins with a deterministic three‑character prefix (lower‑case, upper‑case, digit). Consequently, the effective entropy of the generated passwords is lower than expected. Invocations that employ the random password rules are unaffected.

Solution

Update to TYPO3 versions 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

Credits

Thanks to Mathias Brodala for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Bookmark Toolbar (ext:backend)
• Release Date: September 9, 2025
• Vulnerability Type: Denial of Service
• Affected Versions: 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17
• Severity: Medium
• Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
• References: CVE-2025-59014, CWE-248

Problem Description

Due to insufficient input validation, manipulated data saved in the bookmark toolbar of the backend user interface causes a general error state, blocking further access to the interface. Exploiting this vulnerability requires an administrator-level backend user account.

Solution

Update to TYPO3 versions 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

Credits

Thanks to Jakub Świes for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Core Utilities (ext:core)
• Release Date: September 9, 2025
• Vulnerability Type: Open Redirect
• Affected Versions: 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17
• Severity: Medium
• Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
• References: CVE-2025-59013, CWE-601

Problem Description

Applications that use TYPO3\CMS\Core\Utility\GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks.

Solution

Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

Credits

Thanks to TYPO3 core & security  team member Oliver Hader for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

Problem Description

The extension fails to sanitize user input resulting in Command Injection when creating a backup. Exploiting this vulnerability requires a valid administrator account.

Solution

An updated version 13.0.3 is available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/ns_backup/13.0.3/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to the Swiss NCSC Vulnerability Management Team for reporting the vulnerability and to NITSAN for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

• Type: Advisory
• Component Type: TYPO3 CMS
• Subcomponent: SVG Sanitizer (based on enshrined/svg-sanitize)
• Release Date: August 14, 2025
• Impact: Link Injection, in some cases Cross-Site Scripting
• Affected Versions: 9.0.0-9.5.53, 10.0.0-10.4.52, 11.0.0-11.5.46, 12.0.0-12.4.35, 13.0.0-13.4.16
• Severity: Medium
• Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
• References: CVE-2025-55166

Problem Description

The enshrined/svg-sanitize library (versions before 0.22.0) did not properly sanitize resource references in mixed-case attributes (HrEf="..." or xlink:HrEf="...") in SVG content. This flaw could allow an attacker to inject links to external sites and execute JavaScript if no Content-Security-Policy (CSP) headers were in place. Only inline SVG content embedded directly in HTML was affected.

For more details, see the official advisory for the library.

Solution

Update to TYPO3 versions 9.5.54 ELTS, 10.4.53 ELTS, 11.5.47 ELTS, 12.4.36 LTS, 13.4.17 LTS that fix the problem described by including version 0.22.0 of the enshrined/svg-sanitize library.

Note: Due to the previous TYPO3 dependency constraint ("^0.20.0"), installing enshrined/svg-sanitize version 0.22.0 directly was not possible. The updated TYPO3 releases now require "~0.22", ensuring that the fixed library version and future updates are included automatically.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The affected TYPO3 extension attempts to validate the integrity of the __identity parameter when saving user-submitted data. If a modification of the __identity value is detected, the extension logs the incident using Extbase persistence mechanisms.

However, due to improper handling of the manipulated user object (mapped by Extbase based on the modified __identity parameter) the logging operation unintentionally persists changes to the user object. This allows authenticated frontend users with access to the "Edit" plugin to arbitrarily modify other frontend user records by submitting manipulated data.

Solution

Updated versions 6.4.2, 7.5.3 and 8.3.1 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/femanager/8.3.1/zip
https://extensions.typo3.org/extension/download/femanager/7.5.3/zip
https://extensions.typo3.org/extension/download/femanager/6.4.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Alexander Freundlieb for reporting the vulnerability and to Stefan Busemann for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to validate the query parameter “file” of the “downloadFile” function in the backend module of the extension resulting in Insecure Direct Object Reference (IDOR). An authenticated attacker with access to the backend module can use this vulnerability to download arbitrary files the webserver has access to. In order to successfully exploit the vulnerability, it is required that at least one powermail email record containing an uploaded file is available in the backend module.

Solution

Updated versions 12.5.3 and 13.0.1 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/powermail/12.5.3/zip
https://extensions.typo3.org/extension/download/powermail/13.0.1/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Riny van Tiggelen for reporting the vulnerability and to Marcus Schwemer for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension allows the exchange of a serialized file object representation of a previously uploaded file without proper validation. This enables an attacker to inject arbitrary serialized PHP objects, which may be deserialized on the server side, potentially leading to Remote Code Execution (RCE).

The extension does not verify if a specified file identifier is authorized for download. This allows an attacker to disclose and download arbitrary files without further authentication, resulting in an Insecure Direct Object Reference (IDOR) vulnerability.

Solution

An updated version 12.5.0 is available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/sr_feuser_register/12.5.0/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Johannes Seipelt for reporting the RCE vulnerability, to Security Team Member Torben Hansen for reporting the IDOR issue, and to Stanislas Roland for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to sanitize user input resulting in Command Injection when creating a backup. An authenticated backend user with access to the extensions backend module is required to exploit the vulnerability.

The extension saves backup and configuration files to a predictable resource location. This allows an unauthenticated remote user to download created backups and configuration files.

The extension fails to properly encode user input for output in HTML context in TYPO3 backend user interface.

Note: The TYPO3 Security Team recommends downloading and removing all previously created backup files to delete any files that may be affected by the Predictable Resource Location vulnerability. Additionally, it is recommended to configure a non-public accessible directory as target folder for backups.

Solution

An updated version 13.0.1 is available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/ns_backup/13.0.1/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Jakub Świes and to Swiss NCSC Vulnerability Management Team for reporting the Command Injection vulnerability, Swiss NCSC Vulnerability Management Team and TYPO3 Security Team Member Torben Hansen for reporting the Predictable Resource Location vulnerability, Swiss NCSC Vulnerability Management Team for reporting the Cross-Site Scripting vulnerabilities and Sanjay Chauhan (NITSAN) for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

A superfluous parameter in the newAction of the newController allows an unauthenticated user to view user data of any frontend user.

Solution

Updated versions 5.5.5, 6.4.1, 7.4.2 and 8.2.2 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/femanager/5.5.5/zip
https://extensions.typo3.org/extension/download/femanager/6.4.1/zip
https://extensions.typo3.org/extension/download/femanager/7.4.2/zip
https://extensions.typo3.org/extension/download/femanager/8.2.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Stefan Busemann for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.