Security update for typo3-cms-4_5 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2169-1 Final 1 1 2016-08-29T05:56:13Z current 2016-08-29T05:56:13Z 2016-08-29T05:56:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for typo3-cms-4_5 This update for typo3-cms-4_5 fixes the following issues: - CVE-2015-2047: Authentication Bypass (TYPO3-CORE-SA-2015-001) - CVE-2014-9508: Link spoofing and cache poisoning (TYPO3-CORE-SA-2014-003) - TYPO3-CORE-SA-2014-002: Multiple Vulnerabilities - CVE-2013-7073: Multiple vulnerabilities (TYPO3-CORE-SA-2013-004) This update contains the last upstream release 4.5.40, LTS discontinued since 04.2015. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html E-Mail link for openSUSE-SU-2016:2169-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 typo3-cms-4_5-4.5.40-7.1 typo3-cms-4_5-4.5.40-7.1 as a component of openSUSE Leap 42.1 The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters. CVE-2013-7073 openSUSE Leap 42.1:typo3-cms-4_5-4.5.40-7.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html https://www.suse.com/security/cve/CVE-2013-7073.html CVE-2013-7073 https://bugzilla.suse.com/1082714 SUSE Bug 1082714 The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors. CVE-2014-9508 openSUSE Leap 42.1:typo3-cms-4_5-4.5.40-7.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html https://www.suse.com/security/cve/CVE-2014-9508.html CVE-2014-9508 The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value. CVE-2015-2047 openSUSE Leap 42.1:typo3-cms-4_5-4.5.40-7.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html https://www.suse.com/security/cve/CVE-2015-2047.html CVE-2015-2047 https://bugzilla.suse.com/919006 SUSE Bug 919006