It has been discovered that the extension "Aimeos shop and e-commerce framework" (aimeos) is susceptible to Remote Code Execution and Insecure Direct Object Reference.
We looked into the changes made in the different versions of the composer package aimeos/aimeos-typo3 and none of these changes seem to address any of the mentioned vulnerabilities.
Norbert himself said that these fixes are in other packages than aimeos/aimeos-typo3 but there are no requirement changes in these versions.
So even if other packages are the problem, updating this one should not help.