TYPO3 updates close File Uploader vulnerability
The TYPO3 development team has released updates for all currently supported versions of its open source content management system (CMS), fixing a number of bugs and closing a security hole in one of the TYPO3 Core components. According to the developers, the JavaScript and Flash Upload Library (swfupload) used in previous versions of TYPO3 did not properly sanitise the "movieName" parameter before calling "ExternalInterface.call()".
This vulnerability could have been exploited by an attacker to execute arbitrary code in a browser session and conduct cross-site scripting (XSS) attacks. Versions 4.5.0 to 4.5.16, 4.6.0 to 4.6.9, 4.7.0 and 4.7.1, as well as the 6.0 branch development releases are affected; upgrading to TYPO3 4.5.17, 4.6.10 or 4.7.2 resolves the problem.
Further information about the updates, including a full list of bug fixes, can be found in the 4.5.17, 4.6.10 and 4.7.2 release notes, and in the security advisory. The updates are available to download from the project's site. All users are advised to update their installations as soon as possible. TYPO3 is licensed under the GPLv2 or later.
See also:
- Cross-Site Scripting Vulnerability in TYPO3 Core, security advisory from TYPO3.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
