|
oss-sec
mailing list archives
TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 10 Dec 2012 14:32:20 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/
I'm a little confused because multiple issues are listed together with
a single CVSS2 score/etc.
Can the Typo3 security team please confirm the following:
Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.20,
4.6.0 up to 4.6.13, 4.7.0 up
to 4.7.5 and development releases of the 6.0 branch.
Vulnerability Types: SQL Injection, Cross-Site Scripting,
Information Disclosure
so no CVE's needed for this, this is simply a summary of the below issues?
Vulnerable subcomponent: TYPO3 Backend History Module Vulnerability
Type: SQL Injection, Cross-Site Scripting Solution: Update to the
TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
fix the problem described!
Credits: Credits go to Thomas Worm who discovered and reported the
issue.
Did he discover both the SQL Injection and the Cross-Site Scripting
issues? Can you provide a link to the specific code fixes?
so 2 cve's needed correct?
Vulnerable subcomponent: TYPO3 Backend History Module Vulnerability
Type: Information Disclosure
Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that fix
the problem described!
Credits: Credits go to Core Team Member Oliver Hader who
discovered
and fixed the issue.
so one cve needed here? Can you provide a link to the specific code fixes?
Vulnerable subcomponent: TYPO3 Backend API Vulnerability Type:
Cross-Site Scripting Solution: Update to the TYPO3 version 4.5.21,
4.6.14 or 4.7.6 that
fix the problem described!
Credits: Credits go to Johannes Feustel who discovered and
reported
the issue.
so one cve needed here? Can you provide a link to the specific code fixes?
Vulnerability Type: Cross-Site Scripting Solution: Update to the
TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
fix the problem described!
Credits: Credits go to Richard Brain who discovered and reported
the
issue.
so one cve needed here? Can you provide a link to the specific code fixes?
Thanks for confirming this.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJQxlTkAAoJEBYNRVNeJnmTdTYQAKM5Lx1uGF4FO5hEwl9Lv5pg
JbW41XzMOLGyesGggUf39xhHnPqF7/tH0vmgDOM7pDUXdnRUiCbQaXc+oGcKQvtm
QKYFy5YVo2DNkaluxjmta0bdbSzsi+istYYWQFrUcaHrVGsK9UOCXf7r7fKw6zD3
om9ajiJG91EugEKgNm4kRrSlBJNCS2KUgf2DeSjuz5rU3Nq98qNtYi0ul4tPEKm0
WLc+cun7DrKnhFHgKzYFjD3AHUh6KVfgo6uGF/GWtrw0aoknwnbadZ5RwT7L+svl
yVCxWn1oB6HX5flBL2pkAicUWXs5dVRnn7wuAZb+HUCHw8dWFLl9ndqskfigrR3w
WtCVSIMZkd10XNpV9T0y+hklWPyC5dPNrHpO78b/rrLvgAr8iJxrDSKY/dLZBAnr
e3zekkwq8HzCGm/rbcKU2hJEUqIvCFo/n3SsTUBfh+IWriMJXYUHD49OmbO3MqVP
mpb03U93OtI4YMsut5MWWC+oEgXcyT8HNEr4+Ft+9GdOwV2GVvHv/H+rmYU+xXXt
JD+McS2Q0F4rAiGuQjEVlCN4rWoIAN+8K/KROQO2w5ZYIw5riwXf5Jt9x9m00vFj
vkKwonhcQ+XF3O78v0YI7no39LpOiTm41MkLFcyuxuuNNw15rEvKCLPKGgTikZ0x
SVfcAdMdFEU8jaAtUR7m
=zzRG
-----END PGP SIGNATURE-----
 By Date 
By Thread
Current thread:
- TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core Kurt Seifried (Dec 10)
| 
