Skip to main content

Mobile Apps

Maßgeschneidert für Prozesse und Funktionen bieten Apps in der heutigen Zeit eine große Rolle bei der Optimierung. Wir bieten Ihnen einen umfassenden Service bei der Konzeption und Realisierung Anwendungen (Nativ oder als Web App mit Phonegap).

Targeting

We help you find the people you need for business. Online marketing concepts and plans are integrated thru workflows and processes.

360° showrooms

Enhance your business on google maps - and enable people to walk thru your showrooms and more.

Make it your own

This distribution is developed to help you getting an easy entry into TYPO3 CMS. It can be used as an example to play around or to kickstart your own projects.

 

Included features of the Introduction Package

  • TYPO3 CMS custom theme for Twitter Bootstrap
  • Customize the theme via LESS editor backend module
  • All Content Elements mapped to fit Twitter Bootstrap
  • Example additional content elements for carousel and accordion
  • All settings editable via the TypoScript constant editor
  • Responsive images enabled

News System

TYPO3-EXT-SA-2021-017: Multiple vulnerabilities in extension "pixx.io integration for TYPO3 (DAM)" (pixxio)

 

 

 

  • Release Date: November 10, 2021
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "pixx.io integration for TYPO3 (DAM)" (pixxio)
  • Vulnerability Type: Server-side request forgery, Remote Code Execution, Broken Access Control and vulnerable 3rd Party Components.
  • Affected Versions: 1.0.4 and below
  • Severity: High
  • Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:F/RL:O/RC:C
  • References: CVE-2021-43562 and CVE-2021-43563

Problem Description

The extension fails to restrict the image download to the configured pixx.io DAM URL resulting in Server-side request forgery. As a result of the Server-side request forgery vulnerability, an attacker can download various content from a remote location and save it to a user controlled filename which may result in Remote Code Execution. A TYPO3 backend user account is required to exploit both vulnerabilities.

The Access Control in the bundled media browser is broken, which allows an unauthenticated attacker to perform requests to the pixx.io API for the configured API user. This allows an attacker to download various media files from the DAM system.

Finally the extension bundles the 3rd Party Component jQuery 3.3.1  which contains known security vulnerabilities.

Solution

An updated version 1.0.6 is available from the TYPO3 extension manager and at

https://extensions.typo3.org/extension/download/pixxio/1.0.6/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Andrey Basarygin, Andrey Guzei, Mikhail Khramenkov, Alexander Sidukov and Maxim Teplykh from Solar Security  for reporting the SSRF issue, to Security Team Member Torben Hansen for finding the additional issues and to Christoph Trautbeck for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.