Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

TYPO3-SA-2009-016 – felogin


Original Release Date: October 22, 2009

Vendor: TYPO3 (Core)

Product: TYPO3 CMS – Frontend Login Box (felogin)

Affected Versions

TYPO3 versions :

  • 4.2.0 – 4.2.6
  • Other versions not tested

Vulnerability Type: Cross-Site Scripting

Overall Severity: Medium

Problem Description

Failing to sanitize URL parameters the Frontend Login Box box is susceptible to XSS.


TYPO3 installations that use the felogin feature are exposed to possible Cross-Site Scripting style attacks against users of the CMS

Vendor Response

This problem only exists in TYPO3 versions 4.2.0 – 4.2.6 and was already fixed for version 4.2.7 while fixing a non security related issue.


Credits go to Chirs John Riley who discovered and reported the issue and to Stefan Lang who discovered and reported the related issue.


%d bloggers like this: