ASA-2019-00585 – TYPO3 extension Direct Mail (direct_mail): Information Disclosure

A missing access check in the backend module of the extension allows a backend user without access to configured tables (e.g. fe_users, tt_address) to view and export data of users subscribed to a newsletter.

ASA-2019-00583 – TYPO3 extension SLUB: Event Registration (slub_events): Multiple vulnerabilities

The extension allows to upload arbitrary files to the webserver. For versions 1.2.2 and below, this vulnerability results in Remote Code Execution. In versions later than 1.2.2, the vulnerability can result in Denial of Service, since the webspace can be filled up with arbitrary files. The extension also includes jQuery 2.2.4 which is known to be vulnerable against Cross Site Scripting.