Release Date: September 25, 2013
Please read first: This Collective Security Bulletin (CSB) is a listing of vulnerable extensions with neither significant download numbers, nor other special importance amongst the TYPO3 Community. The intention of CSBs is to reduce the workload of the TYPO3 Security Team and of the maintainers of extensions with vulnerabilities. Nevertheless, vulnerabilities in TYPO3 core or important extensions will still get the well-known single Security Bulletin each.
Please read our buzz blog post, which has a detailed explanation on CSBs.
All vulnerabilities affect third-party extensions. These extensions are not part of the TYPO3 default installation.
Extension: booking (booking)
Affected Versions: 0.2.7 and all versions below
Vulnerability Type: Insecure Unserialize
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)
Solution: An updated version 0.2.9 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/booking/0.2.9/. Users of the extension are advised to update the extension as soon as possible.
Extension: ics_awstats
Affected Versions: 0.5.4 and all versions below
Vulnerability Type: Unspecific
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:O/RC:C (What's that?)
Related CVE: CVE-2012-4547
Problem Description: The extension contains an old version of awstats which is vulnerable an unspecific type of attack.
Solution: An updated version 0.6.0 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/ics_awstats/0.6.0/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Bjoern Pedersen, Xaver Maierhofer and Andrea Herzog who informed us about the isse.
Extension: Simple Image Gallery (iflowgallery)
Affected Versions: 0.1.0 and all versions below
Vulnerability Type: SQL Injection
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:N/E:F/RL:U/RC:C (What's that?)
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. We were not able to contact the extension maintainer. Please uninstall and delete the extension folder from your installation.
Credits: Credits go to TYPO3 Security Team Member Franz G. Jahn who discovered and reported the issue.
Extension: Ratsinformationssystem (RIS) (cronmm_ratsinfo)
Affected Versions: 1.2.0 and all versions below
Vulnerability Type: SQL Injection
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What's that?)
Solution: An updated version 1.3.0 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/cronmm_ratsinfo/1.3.0/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Peter Leußner who discovered and reported the issue.
Extension: Frontend User Registration (ke_userregister)
Affected Versions: 0.1.5 and all versions below
Vulnerability Type: SQL Injection
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What's that?)
Solution: An updated version 0.1.6 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/ke_userregister/0.1.6/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Extension Author Andreas Kiefer who discovered and reported the issue.
Extension: meta_beawstatsind
Affected Versions: 1.0.1
Vulnerability Type: Unspecific
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:U/RC:C (What's that?)
Related CVE: CVE-2012-4547
Problem Description: The extension contains an old version of awstats which is vulnerable an unspecific type of attack.
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author claimed he will not maintain the extension any more. Please uninstall and delete the extension folder from your installation.
Credits: Credits go to Bjoern Pedersen, Xaver Maierhofer and Andrea Herzog who informed us about the isse.
Extension: Powermail double opt-in (powermail_optin)
Affected Versions: 1.0.1 and all versions below
Vulnerability Type: Authentication Bypass and Information Disclosure
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:P/RL:U/RC:C (What's that?)
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author claimed he will not maintain the extension any more. Please uninstall and delete the extension folder from your installation.
Extension: smarty (smarty)
Affected Versions: 1.11.0 and all versions below
Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:P/RL:O/RC:C (What's that?)
Problem Description: The extension smarty bundles the template engine smarty. Old versions of this library are known to be vulnerable to Cross-Site Scripting.
Solution: An updated version 1.13.1 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/smarty/1.13.1/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Alexander Wende who discovered and reported the issue.
Extension: Youtube Channel Videos (youtubevideos)
Affected Versions: 0.1.1 and all versions below
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:P/RL:U/RC:C (What's that?)
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.
Credits: Credits go to Markus Klein who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.