15 June 2022
TYPO3 version 10.4.30 is now available (security release).
Upgrading to TYPO3 10.4.30
TYPO3 10.4.30 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply TYPO3 updates as new versions are released, or use Installatron's Clone feature to duplicate an existing TYPO3 install to test the 10.4.30 upgrade prior to applying it live. Get started managing your TYPO3 installations with Installatron
What's New in TYPO3 10.4.30
Bug Fixes and Changes
- [BUGFIX] Properly apply system maintainer role to backend admins
- TYPO3-CORE-SA-2022-001 - Information Disclosure via Export Module - The export functionality fails to limit the result set to allowed columns of a particular database table. This allows authenticated users to export internal details of database tables to which they already have access.
- TYPO3-CORE-SA-2022-002 - Information Disclosure via Exception Handling/Logger - It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace.
- TYPO3-CORE-SA-2022-003 - Cross-Site Scripting in Form Framework - It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability.
- TYPO3-CORE-SA-2022-004 - Cross-Site Scripting in Frontend Login Mailer - User submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages.
- TYPO3-CORE-SA-2022-005 - Insufficient Session Expiration in Admin Tool - Admin Tool sessions initiated via the TYPO3 backend user interface have not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit.
Bug Fixes and Changes
- [BUGFIX] Apply empty values in language-overlay
- [BUGFIX] Update guzzlehttp/guzzle to 6.5.7
- [TASK] Extend 'runTests.sh' to clean rendered documentation
- [BUGFIX] Use moment.unix for visualizing regular unix timestamps
- [BUGFIX] Use the correct pluralized key in search results
- [TASK] Drop PhpStorm meta configuration for getAccessibleMock & friends
- [TASK] Raise to recent moment & moment-timezone versions
- [TASK] Update copyright year in README.md and INSTALL.md
- [BUGFIX] Update guzzlehttp/guzzle to 6.5.6
- [DOCS] Remove outdated note in fluid_styled_content
- [DOCS] Use correct middleware name 'typo3/cms-frontend/authentication'
- [TASK] Raise lolli42/finediff:^1.0.1