The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of TYPO3: multiple vulnerabilities

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of TYPO3.
Impacted systems: Debian, openSUSE, openSUSE Leap, TYPO3 Core.
Severity of this alert: 2/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 22/05/2014.
Références of this alert: CERTFR-2014-AVI-240, CVE-2010-4207, CVE-2012-5881, CVE-2014-3941, CVE-2014-3942, CVE-2014-3943, CVE-2014-3944, CVE-2014-3945, CVE-2014-3946, DSA-2942-1, openSUSE-SU-2014:0813-1, openSUSE-SU-2016:2025-1, openSUSE-SU-2016:2114-1, TYPO3-CORE-SA-2014-001, VIGILANCE-VUL-14789.

Description of the vulnerability 

Several vulnerabilities were announced in TYPO3.

An attacker can change the HTTP Host header, in order to inject data in scripts using $_SERVER['HTTP_HOST']. [severity:2/4; CVE-2014-3941]

An attacker can unserialize data, in order to execute code. [severity:2/4; CVE-2014-3942]

An attacker can trigger a Cross Site Scripting in Backend, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2014-3943]

An attacker can trigger a Cross Site Scripting in ExtJS, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2010-4207, CVE-2012-5881]

An authenticated attacker can indefinitely renew his session. [severity:2/4; CVE-2014-3944]

Hashed passwords are not always salted. [severity:1/4; CVE-2014-3945]

An attacker, who is member of another group, can obtain sensitive information. [severity:2/4; CVE-2014-3946]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat announce impacts software or systems such as Debian, openSUSE, openSUSE Leap, TYPO3 Core.

Our Vigil@nce team determined that the severity of this computer vulnerability is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 7 vulnerabilities.

An attacker with a expert ability can exploit this cybersecurity alert.

Solutions for this threat 

TYPO3: version 6.2.3.
The version 6.2.3 is fixed:
  https://typo3.org/download/

TYPO3: version 6.1.9.
The version 6.1.9 is fixed:
  https://typo3.org/download/

TYPO3: version 6.0.14.
The version 6.0.14 is fixed:
  https://typo3.org/download/

TYPO3: version 4.7.19.
The version 4.7.19 is fixed:
  https://typo3.org/download/

TYPO3: version 4.5.34.
The version 4.5.34 is fixed:
  https://typo3.org/download/

TYPO3: solution for HTTP Host.
The solution is indicated in information sources.

Debian: new typo3-src packages.
New packages are available:
  Debian 7: typo3-src 4.5.19+dfsg1-5+wheezy3

openSUSE 13.1: new typo3-cms packages.
New packages are available:
  openSUSE 13.1: typo3-cms 4.5.40-2.7.1, typo3-cms 4.7.20-3.3.1

openSUSE: new typo3-cms-4_5 packages.
New packages are available:
  openSUSE 12.3: typo3-cms-4_5 4.5.34-2.8.1
  openSUSE 13.1: typo3-cms-4_5 4.5.34-2.4.1

openSUSE: new typo3-cms-4_7 packages.
New packages are available:
  openSUSE Leap 42.1: typo3-cms-4_7 4.7.20-7.1
  openSUSE 13.2: typo3-cms-4_7 4.7.20-2.3.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity bulletins. The technology watch team tracks security threats targeting the computer system.