Multiple vulnerabilities in "Aimeos shop and e-commerce framework" (aimeos)

Tue. 18th June, 2024

It has been discovered that the extension "Aimeos shop and e-commerce framework" (aimeos) is susceptible to Remote Code Execution and Insecure Direct Object Reference.


This is a companion discussion topic for the original entry at https://typo3.org/article/typo3-ext-sa-2024-005

This does not seem to be correct.

We looked into the changes made in the different versions of the composer package aimeos/aimeos-typo3 and none of these changes seem to address any of the mentioned vulnerabilities.

Norbert himself said that these fixes are in other packages than aimeos/aimeos-typo3 but there are no requirement changes in these versions.
So even if other packages are the problem, updating this one should not help.

Am I missing something?