Cатсн²² (in)sесuяitу / ChrisJohnRiley
Because we're damned if we do, and we're damned if we don't!
TYPO3-SA-2010-009 – sr_feuser_register
TYPO3-SA-2010-009
Original Release Date: 14 April 2010
Vendor: Third party extension – Frontend User Registration (sr_feuser_register)
Product: TYPO3 CMS – Vulnerabilitiy in extension Frontend User Registration (sr_feuser_register)
Affected Versions
Extension versions :
- Versions prior to 2.5.25
Vulnerability Type: Cross-Site Scripting
Overall Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C
Problem Description
Failing to validate and sanitize user input the extension is susceptible to Cross Site Scripting (XSS), making it possible to execute arbitrary JavaScript.
Impact
TYPO3 installations that use sr_feuser_register extension are exposed to possible Cross-Site Scripting style attacks against users of the CMS
Solution
Updated versions are available from the TYPO3 extension manager.
Users are advised to upgrade to extension version 2.5.25 which is available at http://typo3.org/extensions/repository/view/sr_feuser_register/2.5.25/
Credit(s)
Credits go to Chris John Riley, who discovered and reported the issue.
References
- TYPO3 Advisory (TYPO3-SA-2010-009)
<http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-009/>
Cатсн²² (in)sесuяitу / ChrisJohnRiley 