Vigil@nce: TYPO3, vulnerabilities of extensions
August 2009 by Vigil@nce
An attacker can use several vulnerabilities of TYPO3 extensions in
order to obtain information, to generate a Cross Site Scripting or
to inject SQL code.
Severity: 2/4
Consequences: user access/rights, client access/rights
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 9
Creation date: 18/08/2009
IMPACTED PRODUCTS
– TYPO3
DESCRIPTION OF THE VULNERABILITY
An attacker can use several vulnerabilities of TYPO3 extensions.
An attacker can generate a Cross Site Scripting in the Commerce
(commerce) extension. [grav:2/4; TYPO3-SA-2009-011]
An attacker can generate a SQL injection in the T3M E-Mail
Marketing Tool (t3m) extension. [grav:2/4; TYPO3-SA-2009-012]
An attacker can generate a SQL injection in the AIRware Lexicon
(air_lexicon) extension. [grav:2/4; TYPO3-SA-2009-013]
An attacker can generate a SQL injection in the AST ZipCodeSearch
(ast_addresszipsearch) extension. [grav:2/4; TYPO3-SA-2009-013]
An attacker can generate a SQL injection in the Car (car)
extension. [grav:2/4; TYPO3-SA-2009-013]
An attacker can generate a SQL injection in the Event Registration
(event_registr) extension. [grav:2/4; TYPO3-SA-2009-013]
An attacker can generate a SQL injection in the Solidbase
Bannermanagement (SBbanner) extension. [grav:2/4;
TYPO3-SA-2009-013]
An attacker can
Identifiers: TYPO3-SA-2009-011, TYPO3-SA-2009-012,
TYPO3-SA-2009-013, VIGILANCE-VUL-8955
http://vigilance.fr/vulnerability/TYPO3-vulnerabilities-of-extensions-8955