Today two security bulletins have been released:
Multiple Vulnerabilities in TYPO3 CMS
The Vulnerability Types include Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. To fix the problems the new TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 and 6.2.3 have been released.
Breaking Change!
These TYPO3 versions introduce a new configuration option:
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
If you ran into the error message „current host header does not match trusted hosts pattern“ after the update to the above mentioned TYPO3 versions please make sure to set the trustedHostsPattern as described in the Security Bulletin TYPO3-CORE-SA-2014-001.
When using CloudFlare flexible SSL and it crashes have a look at the Forge Issue #59021.
Arbitrary code execution in extension „powermail“ (powermail)
The extension powermail offers the possibility to upload files. It was discovered that it was possible to upload files with specially crafted file extensions, which could be executed as PHP files on the server when using Apache as web server with mod_mime available (default). Uploading files in powermail is possible without finally submitting the form, so a malicious file could be uploaded without further discovery. Failing to check the uploaded file name against the fileDenyPattern pattern, powermail is susceptible to arbitrary code execution. This is a critical issue!
For more details see Security Bulletin TYPO3-EXT-SA-2014-007.