TYPO3 11.5.16 and 10.4.32 security updates released

On 13.09.2022 the versions 11.5.16 and 10.4.32 of TYPO3 was released.

This releases are security releases that fixes the following errors / bugs:

• Denial of Service in Page Error Handling (TYPO3-CORE-SA-2022-006)
• User Enumeration via Response Timing (TYPO3-CORE-SA-2022-007)
• Missing check for expiration time of password reset token for backend users (TYPO3-CORE-SA-2022-008)
• Stored Cross-Site Scripting via FileDumpController (TYPO3-CORE-SA-2022-009)
• Cross-Site Scripting in <f:asset.css> view helper (TYPO3-CORE-SA-2022-010)
• By-passing Cross-Site Scripting Protection in HTML Sanitizer (TYPO3-CORE-SA-2022-011)

In addition, the following errors / bugs were fixed between versions 11.5.15 and 11.5.16:

• Revert modified cache handling in form framework
• Handle undefined tt_content_defValues in NewContentElementController
• Trim provided external URL in linkwizard modal
• Do not render clipboard errors as notification
• Use correct data attribute name for doktype select
• Check if titleText is available in classesAnchor RTE config
• List invalid field in FormEngine review
• Fix condition in EXT:impexp to check for export view

Additional to this the following errors / bugs were fixed between versions 10.4.31 and 10.4.32:

• Avoid open_basedir errors when referencing absolute URLs
• Disable pagetree drag and drop for touch inputs
• Allow non-valid absolute paths for createVersionNumberFileName
• Use sanitized filename as source identifier when replacing an image
• Add sys_language_uid for PageSlugCandidateProvider
• Prevent duplicate page tree items when entry points intersect
• Raise minimum version of symfony/mime to 4.4.16 / 5.1.8
• Skip resolving backpath for already absolute paths

Due to the security related bugs an update is highly recommended.