[TYPO3-announce] TYPO3 Security Bulletin TYPO3-20080513-2: Cross Site Scripting vulnerability in extension Questionaire (pbsurvey)

Henning Pingel henning at typo3.org
Tue May 13 08:33:26 CEST 2008

Dear users of TYPO3,

It has been discovered that the extension Questionaire (pbsurvey) is
susceptible to Cross Site Scripting (XSS) attacks.

==== Component Type ====
Third party extension. This extension is not part of the TYPO3 default

==== Affected Versions ====
Version 1.2.0 and below

==== Vulnerability Type ====
Cross Site Scripting

==== Severity ====

==== Problem Description ====
Failing to filter user input the extension is susceptible to Cross Site
Scripting (XSS), making it possible to execute arbitrary JavaScript.

==== Solution ====
An updated version 1.2.1 is available from the TYPO3 extension manager 
and at <http://typo3.org/extensions/repository/view/pbsurvey/1.2.1/>

==== General advice ====
Follow the recommendations that are given in the TYPO3 Security Cookbook
[1]. If you haven't subscribed to the typo3-announce mailing list [2]
yet, please do so to receive future Security Bulletins via E-mail. All
TYPO3 security bulletins are available at the security team pages on
typo3.org [3].

==== Credits ====
Credits go to Stephan Jorek, who discovered the issue. Furthermore the
TYPO3 Security Team wishes to thank the author Patrick Broens for fixing
the issue.

Henning Pingel
henning at typo3.org

[2] <http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce>
[3] <http://typo3.org/teams/security/security-bulletins/>

More information about the TYPO3-announce mailing list