Advisories for Composer/Typo3/Flow package

It has been discovered that Flow 3.0.0 allows arbitrary file uploads, inlcuding server-side scripts, posing the risk of attacks. If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure, placement of backdoors, data removal, …). Note: The upload of files is only possible if the application built on Flow provides means to do so, and whether …

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.

Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3. To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications.

If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user (like the company he belongs to), entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from the cache which were built for other users; and thus users could see entities which were not …

The PersistedUsernamePasswordProvider is prone to a information disclosure of account existence based on timing attacks as the hashing of passwords is only done in case an account is found.

Time-Based Information Disclosure Vulnerability in Flow.

A potential XML External Entity processing vulnerability has been discovered in the MediaTypeConverter.

Arbitrary file upload and XML External Entity processing.

There's a flaw that allows arbitrary file uploads, including server-side scripts, posing the risk of attacks.

Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in TYPO3 Flow (formerly FLOW3) allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message.

Insecure Unserialize Vulnerability in FLOW3.