Because we're damned if we do, and we're damned if we don't!
Original Release Date: October 22, 2009
Vendor: TYPO3 (Core)
Product: TYPO3 CMS – Frontend Login Box (felogin)
TYPO3 versions :
- 4.2.0 – 4.2.6
- Other versions not tested
Vulnerability Type: Cross-Site Scripting
Overall Severity: Medium
Failing to sanitize URL parameters the Frontend Login Box box is susceptible to XSS.
TYPO3 installations that use the felogin feature are exposed to possible Cross-Site Scripting style attacks against users of the CMS
This problem only exists in TYPO3 versions 4.2.0 – 4.2.6 and was already fixed for version 4.2.7 while fixing a non security related issue.
Credits go to Chirs John Riley who discovered and reported the issue and to Stefan Lang who discovered and reported the related issue.
- TYPO3 Advisory (TYPO3-SA-2009-016)