TYPO3 Faceted Search Extension XML External Entity Injection Vulnerability

A vulnerability in the TYPO3 extension 'Faceted Search' (ke_search) allows for XML External Entity (XXE) injection. The issue arises because the OOXML parser in the file indexer does not disable external entity resolution. This flaw enables a crafted xlsx or pptx document placed in an indexed directory to read local files or make outbound HTTP requests, with the retrieved content being added to the search index. Additionally, the file indexer's directory path normalization is inadequate, permitting path traversal exploitation to access arbitrary server files.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of local files or execution of outbound HTTP requests, with potentially sensitive content being indexed and made searchable.

Remediation

Users are advised to update to version 7.0.1, 6.6.1, or 5.6.2, available through the TYPO3 Extension Manager, Packagist, or directly from the TYPO3 Extensions Repository.