Tue. 18th June, 2024
It has been discovered that the extension "Aimeos shop and e-commerce framework" (aimeos) is susceptible to Remote Code Execution and Insecure Direct Object Reference.
This does not seem to be correct.
We looked into the changes made in the different versions of the composer package aimeos/aimeos-typo3 and none of these changes seem to address any of the mentioned vulnerabilities.
Norbert himself said that these fixes are in other packages than aimeos/aimeos-typo3 but there are no requirement changes in these versions.
So even if other packages are the problem, updating this one should not help.
Am I missing something?