The TYPO3 community today announced maintenance releases that contain bug and security fixes for the open source TYPO3 Enterprise CMS. The versions — TYPO3 6.2.18 LTS and TYPO3 7.6.3 LTS — include four updates and fixes.
Inside the Updates
The first, authored by Nicole Cordes, revealed that TYPO3 is susceptible to SQL (Structured Query Language) Injection, when hackers attack data-driven applications with malicious SQL statements through an entry field. The affected versions include 6.2.0 to 6.2.17. "A flaw in the database escaping API results in a SQL injection vulnerability when extension dbal (Database Extraction Layer) is enabled and configured for MySQL pass-through mode in its extension configuration," Cordes wrote.
The second, authored by Helmut Hummel, found that TYPO3 is susceptible to Cross-Site scripting (XSS) in link validator component, when attackers inject client-side script into web pages viewed by other users. Affected versions include 6.2.0 to 6.2.17 and 7.6.0 to 7.6.2. Hummel notes a failure here to "sanitize content from editors," and hence, the link validator component is susceptible to Cross-Site scripting. "A valid editor account with access to content which is scanned by the link validator component is required to exploit this vulnerability," Hummel wrote.
The third, also authored by Hummel, again relates to Cross-Site scripting but is specific to versions 6.2.0 to 6.2.17 and specifically affects the legacy form component vs. link validator. "A valid editor account with access to a form content element is required to exploit this vulnerability," Hummel wrote.
The fourth and final update also included Cross-Site scripting, this time in form component. It affected versions 6.2.0 to 6.2.17. "Failing to sanitize content from unauthenticated website visitors, the form component is susceptible to Cross-Site scripting," according to TYPO3 officials.
The last release TYPO3 came in November, according to the community's news releases.
The new version of TYPO3 CMS 7 LTS included a redesigned, modernized interface that had been equipped with uniform color and descriptions and developed in responsive design. Officials also announced then functionality for image processing was integrated into TYPO3.
According to BuiltWith.com, more than 417,000 websites globally are powered by TYPO3, well behind big guns like WordPress (16,010,763 websites), Joomla! (2,655,626 websites) and Drupal (756,194 websites).