Vigil@nce - TYPO3 Core: six vulnerabilities
September 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of TYPO3.
Impacted products: Debian, TYPO3 Core.
Severity: 2/4.
Creation date: 02/07/2015.
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in TYPO3.
An attacker authorized to change metadata of its own files can
also do it to files that should be unreachable. [severity:1/4;
TYPO3-CORE-SA-2015-002]
An attacker can define the session identifier of another user, for
instance to change its privileges. [severity:2/4;
TYPO3-CORE-SA-2015-003]
An attacker can trigger a Cross Site Scripting in page titles, in
order to execute JavaScript code in the context of the web site.
[severity:2/4; TYPO3-CORE-SA-2015-004]
An attacker can list the content of the install root folder of
TYPO3. [severity:1/4; TYPO3-CORE-SA-2015-005]
An attacker can use a special request to bypass the wait between 2
authentication attempts. [severity:1/4; TYPO3-CORE-SA-2015-006]
An attacker can trigger a Cross Site Scripting in the embedded
library Flowplayer, in order to execute JavaScript code in the
context of the web site. [severity:1/4; TYPO3-CORE-SA-2015-007]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/TYPO3-Core-six-vulnerabilities-17293