FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

typo3 -- Multiple vulnerabilities in TYPO3 Core

Affected packages
4.5.0 <= typo3 < 4.5.21
4.6.0 <= typo3 < 4.6.14
4.7.0 <= typo3 < 4.7.6

Details

VuXML ID 79818ef9-2d10-11e2-9160-00262d5ed8ee
Discovery 2012-11-08
Entry 2012-11-12

Typo Security Team reports:

TYPO3 Backend History Module - Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. Credits go to Thomas Worm who discovered and reported the issue.

TYPO3 Backend API - Failing to properly HTML-encode user input the tree render API (TCA-Tree) is susceptible to Cross-Site Scripting. TYPO3 Versions below 6.0 does not make us of this API, thus is not exploitable, if no third party extension is installed which uses this API. A valid backend login is required to exploit this vulnerability. Credits go to Richard Brain who discovered and reported the issue.

[source]

References

URL http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.