Package Instance

TYPO3 Allows Privilege Escalation to System Maintainer
### Problem
Administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account.

### Solution
Update to TYPO3 versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

### Credits
Thanks to Alexander Künzl for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.

TYPO3 Allows Unrestricted File Upload in File Abstraction Layer
### Problem
By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example, a file incorrectly named with a `.png` extension but actually carrying the MIME type `application/zip`).

Although such files are not directly executable through the web server, their presence can introduce indirect risks. For example, third-party services such as antivirus scanners or malware detection systems might flag or block access to the website for end users if suspicious files are found. This could negatively affect the availability or reputation of the site.

### Solution
Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

> [!NOTE]
> The mitigation strategies outlined below apply broadly to all file uploads handled through TYPO3's File Abstraction Layer (FAL), not just those performed via the backend interface. This means that any extension or custom integration leveraging FAL will also be subject to the new validation rules and configuration options. Developers are advised to review the implications for their code and refer to the [documentation of that change](https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/12.4.x/Important-106240-EnforceFile-extensionsAndMime-typeConsistencyInFileAbstractionLayer.html) for guidance.

> [!IMPORTANT]
>
> **Strong security defaults - Manual actions required**
> 
> These versions introduce new configuration options to better control which files are permitted for upload and to improve consistency checks.
> 
> A new configuration option, `$GLOBALS['TYPO3_CONF_VARS']['SYS']['miscfile_ext']`, has been added. This option allows administrators to explicitly define which file extensions should be permitted that are not already part of the built-in text or media file groups - examples include archive formats such as `zip` or `xz`.
> 
> In addition, two new feature flags have been introduced to enhance security:
> * `security.system.enforceAllowedFileExtensions`, enforces the defined list of allowed file extensions. This flag is enabled by default in new TYPO3 installations, but remains disabled in existing installations to prevent breaking changes.
> * `security.system.enforceFileExtensionMimeTypeConsistency`, ensures that the uploaded file’s extension matches its actual MIME type, providing further validation of file integrity. This flag is active by default.
> 
> It is recommended to configure the allowed file extensions via `$GLOBALS['TYPO3_CONF_VARS']['SYS']['miscfile_ext']` and to enable the feature flag `security.system.enforceAllowedFileExtensions` to enforce the restriction.

### Credits
Thanks to Hamed Kohi for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.

TYPO3 Unverified Password Change for Backend Users
### Problem
The backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification.

This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication.

### Solution
Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

> [!NOTE]
> In these versions, administrators are required to verify their identity through step-up authentication (also known as sudo mode) when changing backend user passwords.

### Credits
Thanks to the National Cyber Security Center (NCSC) of Switzerland for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
### Problem
Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.

The vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue.

### Solution
Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

### Credits
Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it.

### References
* [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004)

TYPO3 CMS uses insufficient entropy when generating passwords
A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.

TYPO3 Allows Information Disclosure via DBAL Restriction Handling
### Problem
When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the last table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users.

### Solution
Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

### Credits
Thanks to Christian Futterlieb for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

TYPO3 Potential Open Redirect via Parsing Differences
### Problem
Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks.

### Solution
Update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.

### Credits
Thanks to Sam Mush and Christian Eßl who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue.

### References
* [TYPO3-CORE-SA-2025-002](https://typo3.org/security/advisory/typo3-core-sa-2025-002)