Important security fixes for Typo3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2025-1 Final 1 1 2016-08-10T16:48:29Z current 2016-08-10T16:48:29Z 2016-08-10T16:48:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Important security fixes for Typo3 Important security fixes for vulnerabilities in typo3 which can be used for Cross-Site Scripting or Denial of Service attacks or for authentication bypassing. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-08/msg00028.html E-Mail link for openSUSE-SU-2016:2025-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings typo3-cms-4_5-4.5.40-2.7.1 typo3-cms-4_7-4.7.20-3.3.1 Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. CVE-2013-4701 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-08/msg00028.html https://www.suse.com/security/cve/CVE-2013-4701.html CVE-2013-4701 https://bugzilla.suse.com/1082714 SUSE Bug 1082714 The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters. CVE-2013-7073 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-08/msg00028.html https://www.suse.com/security/cve/CVE-2013-7073.html CVE-2013-7073 https://bugzilla.suse.com/1082714 SUSE Bug 1082714 TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing." CVE-2014-3941 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-08/msg00028.html https://www.suse.com/security/cve/CVE-2014-3941.html CVE-2014-3941 https://bugzilla.suse.com/1082714 SUSE Bug 1082714 https://bugzilla.suse.com/881282 SUSE Bug 881282