Package: typo3-src Severity: critical Tags: security
Component Type: TYPO3 Core Affected Versions: 4.2.15 and below, 4.3.8 and below, 4.4.4 and below Vulnerability Types: Arbitrary Code Execution, Path Traversal, Cross-Site Scripting (XSS), SQL injection, Information Disclosure Overall Severity: High Vulnerable subcomponent #1: Frontend Vulnerability Type: Cross-Site Scripting Severity: High Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to properly sanitize user input the click enlarge functionality is susceptible to Cross-Site Scripting. The problem only exists if the TYPO3 caching framework is turned on by configuration. Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C) Problem Description: For a regular editor it is possible to inject arbitrary HTML or JavaScript into the FORM content object. A valid backend login is required to exploit this vulnerability. Vulnerable subcomponent #2: PHP file inclusion protection API Vulnerability Type: Arbitrary Code Execution Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C Problem Description: Because of insufficient validation of user input it is possible to circumvent the check for executable php files in some cases. Vulnerable subcomponent #3: Install Tool Vulnerability Type: Cross-Site Scripting Severity: Medium TODO: Suggested CVSS v2.0: AV:L/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to sanitize user input, the TYPO3 Install Toolis susceptible to XSS attacks in several places. A valid Install Tool login is required to exploit these vulnerabilities. Vulnerable subcomponent #4: Backend Vulnerability Type: Remote File Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C Problem Description: Failing to properly validate user input, the TypoScript file inclusion functionality makes it possible to also include arbitrary php files into the TypoScript setup. A valid admin user login is required to exploit this vulnerability. Vulnerability Type: Path Traversal Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:P/E:F/RL:OF/RC:C Problem Description: Failing to sanitize user input, the unzip library is susceptible to Path Traversal. Vulnerability Type: SQL Injection Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:N/A:N/E:F/RL:OF/RC:C Problem Description: Failing to sanitize user input, the list module fuctionality is susceptible to SQL injection. A valid backend login with the rights to access the list module is required to exploit this vulnerability. Vulnerable subcomponent #5: Database API Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C Problem Description: If the database connection to the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES the TYPO3 Database API method escapeStrForLike() is failing to properly quote user input, making it is possible to inject wildcards into a LIKE query. This could potentially disclose a set of records that are meant to be kept in secret. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
