The sample data plugins lack ACL checks, allowing unauthorized access.
The media form field lacks escaping, leading to a Cross-Site Scripting (XSS) vulnerability.
The item_title layout in edit views lacks escaping, leading to a Cross-Site Scripting XSS vulnerability.
The JSON handler in com_config lacks input validation, leading to XSS vulnerability.
The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.