The sample data plugins lack ACL checks, allowing unauthorized access.
The media form field lacks escaping, leading to a Cross-Site Scripting (XSS) vulnerability.
The item_title layout in edit views lacks escaping, leading to a Cross-Site Scripting XSS vulnerability.
The JSON handler in com_config lacks input validation, leading to XSS vulnerability.
The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.
Inadequate parameter handling in JS code could lead to an XSS attack vector.
Inadequate checks at the Global Configuration helpurl settings allowed a stored XSS.
"No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior but might be unexpected for the user. An additional message is now shown in the configuration dialog.