Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

TYPO3-SA-2009-016 – felogin

TYPO3-SA-2009-016

Original Release Date: October 22, 2009

Vendor: TYPO3 (Core)

Product: TYPO3 CMS – Frontend Login Box (felogin)

Affected Versions

TYPO3 versions :

  • 4.2.0 – 4.2.6
  • Other versions not tested

Vulnerability Type: Cross-Site Scripting

Overall Severity: Medium

Problem Description

Failing to sanitize URL parameters the Frontend Login Box box is susceptible to XSS.

Impact

TYPO3 installations that use the felogin feature are exposed to possible Cross-Site Scripting style attacks against users of the CMS

Vendor Response

This problem only exists in TYPO3 versions 4.2.0 – 4.2.6 and was already fixed for version 4.2.7 while fixing a non security related issue.

Credit(s)

Credits go to Chirs John Riley who discovered and reported the issue and to Stefan Lang who discovered and reported the related issue.

References

Follow

Get every new post delivered to your Inbox.

Join 120 other followers

%d bloggers like this: