Debian Security Advisory

DSA-2537-1 typo3-src -- several vulnerabilities

Date Reported:
30 Aug 2012
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2012-3527, CVE-2012-3528, CVE-2012-3529, CVE-2012-3530, CVE-2012-3531.
More information:

Several vulnerabilities were discovered in TYPO3, a content management system.

  • CVE-2012-3527

    An insecure call to unserialize in the help system enables arbitrary code execution by authenticated users.

  • CVE-2012-3528

    The TYPO3 backend contains several cross-site scripting vulnerabilities.

  • CVE-2012-3529

    Authenticated users who can access the configuration module can obtain the encryption key, allowing them to escalate their privileges.

  • CVE-2012-3530

    The RemoveXSS HTML sanitizer did not remove several HTML5 JavaScript, thus failing to mitigate the impact of cross-site scripting vulnerabilities.

For the stable distribution (squeeze), these problems have been fixed in version 4.3.9+dfsg1-1+squeeze5.

For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 4.5.19+dfsg1-1.

We recommend that you upgrade your typo3-src packages.