Contao news

On the occasion of a remote code execution vulnerability that has been discovered in the PDF export function, a consolidated security update for TYPOlight 2.6, 2.7 and 2.8 has been released today. The vulnerability can only be exploited under certain circumstances and does not affect all installations. Nevertheless, it is highly recommended to update.

Fixed vulnerabilities

The consolidated security update fixes four vulnerabilities:

1. Critical security hole in the TYPOlight install tool

This security hole discovered in December 2009 affects all TYPOlight installations prior to version 2.7.6 and can be considered very critical. Patches for all versions from TYPOlight 2.4 are available and should be applied at all events.

2. Potential request forgery vulnerability in the file manager

This potential vulnerability affects all TYPOlight installations prior to version 2.8.2. There is no exploit so far and additionally only logged in back end users could exploit the vulnerability at all, which highly reduces the number of potential attackers.

3. Content inclusion vulnerability in the search module

This vulnerability affects all TYPOlight installations prior to version 2.8.2, which use the search module. It allows attackers under certain circumstances to read protected articles using the website search.

4. Remote code execution vulnerability in the PDF export function

This vulnerability affects all TYPOlight installations from version 2.7 and prior to version 2.8.3, which use the PDF export function in combination with the comments module. The comments module alone or the PDF export alone are not affected. Also, the exploit is rather obvious and should catch your eye while reading the comments in the back end or front end.

Backporting the changes

All vulnerabilities are fixed in the current version 2.8.3. For security reasons, it is highly recommended to always use a current TYPOlight version! In this case, the changes have additionally been backported and the versions 2.7.7 and 2.6.8 have been released. Older TYPOlight versions (2.5, 2.4 or even older) should not be used anymore.

All version 2.8.3 changes

Get an overview of all version 2.8.3 changes in the ticket system or the changelog.

Download the release from github.com.