Release Date: January 9, 2015

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 1.0.3 and all versions below

Vulnerability Type: Cross-Site Scripting, SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C

Problem Description: The extension fails to properly escape user input in HTML and SQL context.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.

Credits: Credits go to Steffen Müller who discovered and reported the vulnerabilities.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.