Skip to content
Snippets Groups Projects
user avatar
Oliver Hader authored
Inline JavaScript settings for RequireJS and ajaxUrls disclose the
existence of specific extensions in a TYPO3 installation.

In case no backend user is logged in RequireJS settings are fetched
using an according endpoint, ajaxUrls (for backend AJAX routes) are
limited to those that are accessible without having a user session.

Resolves: #83855
Releases: master, 9.5, 8.7
Security-Commit: a9b60d26597449fec46bd26e0b511bc6e423ef24
Security-Bulletin: TYPO3-CORE-SA-2019-001
Change-Id: Ifa4029340e750baaf216fa953bf41b6d06d3138b
Reviewed-on: https://review.typo3.org/59534


Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
da6d0adf
History
Name Last commit Last update