Skip to main navigation Skip to main content Skip to page footer
main logo main logo

Vulnerabilities in multiple third party TYPO3 CMS extensions

14 November 2016 ยท Nicole Cordes 
Dear TYPO3 users,

several vulnerabilities have been found in the following third party TYPO3 extensions:

"Store Locator" (locator)
"Code Highlighter" (mh_code_highlighter)
"Shibboleth Authentication" (shibboleth_auth)
"Secure Download Form" (rs_securedownload)
"Member Infosheets" (if_membersheet)
"TC Directmail" (tcdirectmail)

For further information on the issues, please read the related advisories
TYPO3-EXT-SA-2016-028, TYPO3-EXT-SA-2016-029, TYPO3-EXT-SA-2016-030, TYPO3-EXT-SA-2016-031, TYPO3-EXT-SA-2016-032 and
TYPO3-EXT-SA-2016-033 which were published today:

TYPO3-EXT-SA-2016-028: Cross-Site Scripting in extension "Store Locator" (locator)
https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-028/

TYPO3-EXT-SA-2016-029: Insecure Unserialize and SQL Injection in extension "Code Highlighter" (mh_code_highlighter)
https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-029/

TYPO3-EXT-SA-2016-030: SQL Injection in extension "Shibboleth Authentication" (shibboleth_auth)
https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-030/

TYPO3-EXT-SA-2016-031: Cross Site-Scripting in extension "Secure Download Form" (rs_securedownload)
https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-031/

TYPO3-EXT-SA-2016-032: SQL Injection in extension "Member Infosheets" (if_membersheet)
https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-032/

TYPO3-EXT-SA-2016-033: Unvalidated Redirect in extension "TC Directmail" (tcdirectmail)
https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-033/


In general the TYPO3 Security Team recommends to read the following pages:

The TYPO3 Security Guide:
https://docs.typo3.org/typo3cms/SecurityGuide/

Make sure you are subscribed to the TYPO3 Announce List:
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce

See all TYPO3 security advisories:
https://typo3.org/teams/security/security-bulletins/


Regards,

Nicole Cordes
Member of the TYPO3 Security Team

--
TYPO3 Security Team homepage: https://typo3.org/teams/security/

E-Mail: security@typo3.org
Back to list