Professional Content Management

Free and open source, TYPO3 CMS is the most widely used enterprise-level CMS.

Test TYPO3 now:

TYPO3 live demo

Inspire people to share

Offer your skills and contribute to the project. The community is growing and does more than just coding. 

A Community Effort

TYPO3 CMS is an Open Source project managed by the TYPO3 Association.

The Project

Do you have a question?

Ask the community or a professional partner.

TYPO3-EXT-SA-2025-007: Multiple vulnerabilities in extension "Backup Plus" (ns_backup)

Categories: Development Created by Elias Häußler
It has been discovered that the extension "Backup Plus" (ns_backup) is susceptible to Command Injection, Predictable Resource Location and Cross-Site Scripting.

Problem Description

The extension fails to sanitize user input resulting in Command Injection when creating a backup. An authenticated backend user with access to the extensions backend module is required to exploit the vulnerability.

The extension saves backup and configuration files to a predictable resource location. This allows an unauthenticated remote user to download created backups and configuration files.

The extension fails to properly encode user input for output in HTML context in TYPO3 backend user interface.

Note: The TYPO3 Security Team recommends downloading and removing all previously created backup files to delete any files that may be affected by the Predictable Resource Location vulnerability. Additionally, it is recommended to configure a non-public accessible directory as target folder for backups.

Solution

An updated version 13.0.1 is available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/ns_backup/13.0.1/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Jakub Świes and to Swiss NCSC Vulnerability Management Team for reporting the Command Injection vulnerability, Swiss NCSC Vulnerability Management Team and TYPO3 Security Team Member Torben Hansen for reporting the Predictable Resource Location vulnerability, Swiss NCSC Vulnerability Management Team for reporting the Cross-Site Scripting vulnerabilities and Sanjay Chauhan (NITSAN) for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.