Computer Security Global Security Mag Online anti virus spywares job oofers telecom and network security

SYNTHESIS OF THE VULNERABILITY

An attacker can use several vulnerabilities of TYPO3 extensions in order to generate a Cross Site Scripting or to inject SQL code.

Severity: 2/4

Consequences: user access/rights, client access/rights, data reading

Provenance: internet client

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Number of vulnerabilities in this bulletin: 7

Creation date: 01/02/2010

IMPACTED PRODUCTS

 TYPO3

DESCRIPTION OF THE VULNERABILITY

An attacker can use several vulnerabilities of TYPO3 extensions.

An attacker can generate SQL injections and Cross Site Scriptings in the T3BLOG (t3blog) extension. [grav:2/4; BID-38030, TYPO3-SA-2010-002]

An attacker can generate a SQL injection in the Event Manager (eventmanagement) extension. [grav:2/4; TYPO3-SA-2010-003]

An attacker can generate a SQL injection in the Game Article DB (game_articledb) extension. [grav:2/4; TYPO3-SA-2010-003]

An attacker can generate a SQL injection and a Cross Site Scripting in the Simple career (ml_career) extension. [grav:2/4; TYPO3-SA-2010-003]

An attacker can generate a SQL injection in the Surprise Calendar (ml_surprisecalendar) extension. [grav:2/4; TYPO3-SA-2010-003]

An attacker can generate a Cross Site Scripting in the Search Api Ajax Google (searchajaxgoogle) extension. [grav:2/4; TYPO3-SA-2010-003]

An attacker can obtain information via the Download Manager (spr_downloadmanager) extension. [grav:1/4; TYPO3-SA-2010-003]

CHARACTERISTICS

Identifiers: BID-38030, TYPO3-SA-2010-002, TYPO3-SA-2010-003, VIGILANCE-VUL-9394

http://vigilance.fr/vulnerability/T...