TYPO3 11.5.16 and 10.4.32 security updates released

On 13.09.2022 the versions 11.5.16 and 10.4.32 of TYPO3 was released.

This releases are security releases that fixes the following errors / bugs:

  • Denial of Service in Page Error Handling (TYPO3-CORE-SA-2022-006)
  • User Enumeration via Response Timing (TYPO3-CORE-SA-2022-007)
  • Missing check for expiration time of password reset token for backend users (TYPO3-CORE-SA-2022-008)
  • Stored Cross-Site Scripting via FileDumpController (TYPO3-CORE-SA-2022-009)
  • Cross-Site Scripting in <f:asset.css> view helper (TYPO3-CORE-SA-2022-010)
  • By-passing Cross-Site Scripting Protection in HTML Sanitizer (TYPO3-CORE-SA-2022-011)

In addition, the following errors / bugs were fixed between versions 11.5.15 and 11.5.16:

  • Revert modified cache handling in form framework
  • Handle undefined tt_content_defValues in NewContentElementController
  • Trim provided external URL in linkwizard modal
  • Do not render clipboard errors as notification
  • Use correct data attribute name for doktype select
  • Check if titleText is available in classesAnchor RTE config
  • List invalid field in FormEngine review
  • Fix condition in EXT:impexp to check for export view

Additional to this the following errors / bugs were fixed between versions 10.4.31 and 10.4.32:

  • Avoid open_basedir errors when referencing absolute URLs
  • Disable pagetree drag and drop for touch inputs
  • Allow non-valid absolute paths for createVersionNumberFileName
  • Use sanitized filename as source identifier when replacing an image
  • Add sys_language_uid for PageSlugCandidateProvider
  • Prevent duplicate page tree items when entry points intersect
  • Raise minimum version of symfony/mime to 4.4.16 / 5.1.8
  • Skip resolving backpath for already absolute paths

Due to the security related bugs an update is highly recommended.

Update needed?

Do you need an update for your TYPO3 system?
We would be happy to support and advise you on this project.

Get free advice