TYPO3 security update: 7 vulnerabilities fixed in one go

Today is an important day for all TYPO3 installations: The new versions 12.4.37 LTS and 13.4.18 LTS close seven security vulnerabilities. This is significantly more than usual - normally there are one to three vulnerabilities per release.

Here is an overview of the most important problems so that you know why the update can't wait.

The critical backend vulnerabilities

Workspaces module: Unauthorized database access (HIGH)

The most dangerous problem concerns the Workspaces module. Authenticated backend users could query any database tables via AJAX routes - without appropriate authorization.

Specifically: An editor without admin rights could theoretically have read sensitive data from be_users, sys_log or other protected tables. This is particularly critical if you have different user groups with different access rights.

AJAX routes: Missing authorization checks

A related problem with the backend AJAX routes: They weren't protected by the same permission checks as the modules themselves. Backend users could call functions directly, even if they had no authorization for the corresponding module.

TYPO3 now introduces the new route property inheritAccessFromModule to prevent this.

Frontend-side problems

Open Redirect: Phishing risk

The Open Redirect vulnerability affects GeneralUtility::sanitizeLocalUrl. This function should actually only allow local URLs, but could be bypassed. Attackers could redirect users to external pages - perfect for phishing attacks.

The problem: If your extension used this utility function and then continued to work with the "clean" URL, you were vulnerable.

The other backend vulnerabilities

Bookmark toolbar: Denial of service

Manipulated data in the bookmark toolbar could lead to a general error status and block the entire backend. However, you need admin rights to exploit this - but it's still annoying when it happens.

Password generation: Weak entropy

There was a pattern problem with automatic password generation: Generated passwords always started with lower-case letters and upper-case numbers. This significantly reduces the effective password strength.

File Abstraction Layer: Information Disclosure

When file system operations via the file abstraction layer failed, complete server paths were sometimes disclosed in error messages. This helps attackers to investigate your server structure.

CSV download: Unchecked table accesses

The CSV export function in the List module did not properly check the table authorizations. Backend users were able to export data records for which they did not actually have read permission - but only from the page tree that was already available.

Update strategy

Act immediately: All productive installations are affected (TYPO3 9.0.0 to 13.4.17).

Available updates:

• TYPO3 13.4.18 LTS
• TYPO3 12.4.37 LTS
• TYPO3 11.5.48 ELTS
• TYPO3 10.4.54 ELTS
• TYPO3 9.5.55 ELTS

Good news: No database updates required. The update is quick and can be installed without any problems during operation.

Especially critical for you if:

• You have several backend users with different access rights
• The Workspaces module is in use
• You work with sensitive customer data
• Use the GeneralUtility::sanitizeLocalUrl extension

My conclusion

The backend-related problems should be taken seriously - the information disclosure vulnerabilities in the Workspaces area in particular show how important regular updates are.

The update is straightforward and only takes a few minutes. Given the number of vulnerabilities, you shouldn't wait.

All technical details can be found in the official Security Advisories on typo3.org.