Privilege Escalation in TYPO3 Neos
It has been discovered that TYPO3 Neos is vulnerable to Privilege Escalation.
Component Type: TYPO3 Neos
Release Date: March 28, 2015
Bulletin Update: none
Vulnerability Type: Authentication Bypass
Affected Versions: 1.1.0 to 1.1.2 and 1.2.0 to 1.2.2
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C
CVE: not assigned yet
Problem Description: It has been discovered that TYPO3 Neos is vulnerable to Privilege Escalation. Logged in editors could access, create and modify content nodes that exist in the workspace of other editors.
Solution: Update to TYPO3 Neos versions 1.1.3 or 1.2.3 that fix the problem described.
Credits: Thanks to Robert Lemke who discovered and to Andreas Förthner who reported and fixed the vulnerability.
General Advice: Please subscribe to the typo3-announce mailing list.