News
Vigil@nce - TYPO3: vulnerabilities of extensions
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of TYPO3 extensions in order to generate a Cross Site Scripting or to inject code.
Impacted products: TYPO3
Severity: 2/4
Creation date: 19/02/2013
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in TYPO3 extensions.
An attacker can trigger an SQL injection in the CoolURI (cooluri) extension. [severity:2/4; BID-58055, TYPO3-EXT-SA-2013-003]
An attacker can trigger a Cross Site Scripting in the Static Info Tables (static_info_tables) extension. [severity:2/4; BID-58056, TYPO3-EXT-SA-2013-004]
An attacker can inject commands in the Fluid Extbase Development Framework (fed) extension. [severity:2/4; TYPO3-EXT-SA-2013-005]
An attacker can trigger an SQL injection in the WEC Discussion Forum (wec_discussion) extension. [severity:2/4; BID-58054, TYPO3-EXT-SA-2013-005]
An attacker can trigger an SQL injection in the RSS feed from records (push2rss_3ds) extension. [severity:2/4; TYPO3-EXT-SA-2013-005]
An attacker can trigger an SQL injection in the Slideshare (slideshare) extension. [severity:2/4; TYPO3-EXT-SA-2013-005]
An attacker can trigger an SQL injection and a Cross Site Scripting in the My quiz and poll (myquizpoll) extension. [severity:2/4; BID-58057, TYPO3-EXT-SA-2013-005]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
