Bug#720194: TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core

Christian Welzel Mon, 19 Aug 2013 07:50:03 -0700

Package: typo3-src
Severity: critical
Tags: security


It has been discovered that TYPO3 Core is vulnerable to Cross-Site
Scripting and Remote Code Execution

Component Type: TYPO3 Core
Vulnerability Types: Cross-Site Scripting, Remote Code Execution
Overall Severity: Critical
Release Date: July 30, 2013




Vulnerable subcomponent: Third Party Libraries used for audio and video
playback


Vulnerability Type: Cross-Site Scripting
Affected Versions: All versions from 4.5.0 up to the development branch
of 6.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C
Related CVEs: CVE-2011-3642, CVE-2013-1464
Problem Description: TYPO3 bundles flash files for video and audio
playback. Old versions of FlowPlayer and flashmedia are susceptible to
Cross-Site Scripting. No authentication is required to exploit this
vulnerability.



Vulnerable subcomponent: Backend File Upload / File Abstraction Layer

(This module is not part of the TYPO3 version in debian!)

Vulnerability Type: Remote Code Execution by arbitrary file creation
Affected Versions: All versions from 6.0.0 up to the development branch
of 6.2
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C
CVE: CVE-2013-4250


-- 
 MfG, Christian Welzel

  GPG-Key:     pub 4096R/5117E119 2011-09-19
  Fingerprint: 3688 337C 0D3E 3725 94EC  E401 8D52 CDE9 5117 E119


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#720194: TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core

Reply via email to