TYPO3 11.5.12
15 June 2022
TYPO3 version 11.5.12 is now available (security release).
Upgrading to TYPO3 11.5.12
TYPO3 11.5.12 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply TYPO3 updates as new versions are released, or use Installatron's Clone feature to duplicate an existing TYPO3 install to test the 11.5.12 upgrade prior to applying it live. Get started managing your TYPO3 installations with Installatron
What's New in TYPO3 11.5.12
11.5.12
Bug Fixes and Changes
- [BUGFIX] Properly apply system maintainer role to backend admins
11.5.11
Security
- TYPO3-CORE-SA-2022-001 - Information Disclosure via Export Module - The export functionality fails to limit the result set to allowed columns of a particular database table. This allows authenticated users to export internal details of database tables to which they already have access.
- TYPO3-CORE-SA-2022-002 - Information Disclosure via Exception Handling/Logger - It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace.
- TYPO3-CORE-SA-2022-003 - Cross-Site Scripting in Form Framework - It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability.
- TYPO3-CORE-SA-2022-004 - Cross-Site Scripting in Frontend Login Mailer - User submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages.
- TYPO3-CORE-SA-2022-005 - Insufficient Session Expiration in Admin Tool - Admin Tool sessions initiated via the TYPO3 backend user interface have not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit.
Bug Fixes and Changes
- [BUGFIX] Update guzzlehttp/guzzle to 7.4.4
- [BUGFIX] Wait for element in page tree to disappear
- [BUGFIX] Enable login refresh form submit via ENTER key
- [TASK] Extend 'runTests.sh' to clean rendered documentation
- [TASK] Add support for PHP8.2 to Build/Scripts/runTests.sh
- [TASK] Avoid failing test value for PHP 8.1.7 strtotime bug
- [BUGFIX] Use moment.unix for visualizing regular unix timestamps
- [BUGFIX] Throw 404 error when XML sitemap is not available
- [BUGFIX] Apply empty values in language-overlay
- [TASK] Resolve more dead code paths
- [TASK] Remove type annotations where possible
- [BUGFIX] Avoid invalid type exception in FinisherVariableProvider
- [TASK] Solve several phpstan issues in GifBuilder
- [BUGFIX] Fix randomly failing PageTreeFilterCest
- [BUGFIX] Avoid type error when importing content
- [TASK] Drop PhpStorm meta configuration for getAccessibleMock & friends
- [BUGFIX] Align translation prefix handling in DataMapProcessor
- [BUGFIX] Respect ordering in pagination of redirect module
- [BUGFIX] Fix crashes for current and getInfo on empty storages
- [BUGFIX] Use configuration context for placeholders in YAML import
- [BUGFIX] Ensure proper value when accessing array
- [BUGFIX] Use correct check for disabled field in DataHandler
- [TASK] Align the test field annotations with the testing framework
- [BUGFIX] Late bind drag uploader
- [TASK] Raise to recent moment & moment-timezone versions
- [TASK] Improve a type annotation in the setup extension
- [TASK] Raise to recent composer/composer 2.2 version
- [BUGFIX] Make schedulable commands field identifiers unique
- [TASK] Note nullable parameters and returns as such
- [TASK] Fix wrong indentation in Context class
- [TASK] Update PHPStan to version 1.7.3
- [TASK] Make the return type of GeneralUtility::tempnam more specific
- [BUGFIX] Resolve a stray strpos call
- [BUGFIX] Mark nullable properties in EXT:core as such
- [TASK] Remove dead code paths identified by PHPStan
- [TASK] Update copyright year in README.md and INSTALL.md
- [DOCS] Streamline felogin documentation
- [BUGFIX] Update guzzlehttp/guzzle to 7.4.3
- [BUGFIX] Fix typolink parameter stdWrap when using additional info
- [BUGFIX] Disable toggle all action in multi record selection
- [BUGFIX] Prevent TypeError in ActionController
- [BUGFIX] Properly handle shortcuts for creating new records
- [BUGFIX] Prevent undefined array key warnings in RecordHistory
- [TASK] Simplify code in ConjunctionValidator
- [BUGFIX] Take dev mode into account for package hash
- [BUGFIX] Avoid undefined array key warnings in GifBuilder
- [BUGFIX] Prevent undefined array key warning when fetching session data
- [BUGFIX] Fix typo in description for BE.compressionLevel
- [TASK] Avoid method_exists() for phpunit 8 compat
- [TASK] Raise typo3/testing-framework:^6.16.5
- [TASK] Update PHPStan to version 1.7.0
- [TASK] Raise phpstan/phpstan:^1.6.9
- [TASK] Note more nullable properties and parameters
- [BUGFIX] Use correct time format in from and to filter
- [BUGFIX] Use plugin icon in content element preview
- [BUGFIX] Resolve type issues in SemaphoreLockStrategy
- [BUGFIX] Show missing total amount and time of sql queries
- [DOCS] Remove outdated note in fluid_styled_content
- [DOCS] Use correct middleware name 'typo3/cms-frontend/authentication'
- [TASK] Use more ::class notation for class names in tests
- [TASK] Resolve PHPStan issues in AbstractRecycleTestCase
- [BUGFIX] Stop mocking classes that do not exist
- [TASK] Address phpstan "Expression on left side of ??" errors
- [BUGFIX] Fix type warnings in the workspaces ActionHandler
- [BUGFIX] Prevent undefined array key warning in CleanFlexFormsCommand
- [BUGFIX] Exclude doktypes in SiteConfiguration
- [DOCS] Remove duplicate number sign
- [DOCS] Correct naming of UI label
- [BUGFIX] Correct TCA title in ext:blogexample dateexample
- [TASK] Raise lolli42/finediff:^1.0.1
- [DOCS] Fix typo in rte_ckeditor docs
- [BUGFIX] Fix undefined array key in TemplateService