Security update for typo3-cms-4_7 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2114-1 Final 1 1 2016-08-19T13:25:03Z current 2016-08-19T13:25:03Z 2016-08-19T13:25:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for typo3-cms-4_7 This update for typo3-cms-4_7 fixes the following issues: - CVE-2014-3941: Multiple vulnerabilities (TYPO3-CORE-SA-2014-001) - CVE-2013-4701: Multiple vulnerabilities (TYPO3-CORE-SA-2014-002) - CVE-2013-7073: Multiple vulnerabilities (TYPO3-CORE-SA-2013-004) - other security fixes, e.g. preventing XSS attacks. The package was updated to last upstream version (discontinued) 4.7.20 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-08/msg00083.html E-Mail link for openSUSE-SU-2016:2114-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 typo3-cms-4_7-4.7.20-7.1 typo3-cms-4_7-4.7.20-7.1 as a component of openSUSE Leap 42.1 Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. CVE-2013-4701 openSUSE Leap 42.1:typo3-cms-4_7-4.7.20-7.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00083.html https://www.suse.com/security/cve/CVE-2013-4701.html CVE-2013-4701 https://bugzilla.suse.com/1082714 SUSE Bug 1082714 The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters. CVE-2013-7073 openSUSE Leap 42.1:typo3-cms-4_7-4.7.20-7.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00083.html https://www.suse.com/security/cve/CVE-2013-7073.html CVE-2013-7073 https://bugzilla.suse.com/1082714 SUSE Bug 1082714 TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing." CVE-2014-3941 openSUSE Leap 42.1:typo3-cms-4_7-4.7.20-7.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00083.html https://www.suse.com/security/cve/CVE-2014-3941.html CVE-2014-3941 https://bugzilla.suse.com/1082714 SUSE Bug 1082714 https://bugzilla.suse.com/881282 SUSE Bug 881282