Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
  home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability bulletin CVE-2013-4681 CVE-2013-4719 CVE-2013-4749

TYPO3: vulnerabilities of extensions

Synthesis of the vulnerability

An attacker can use several vulnerabilities of TYPO3 extensions in order to generate a Cross Site Scripting or to inject code.
Impacted products: TYPO3 Extensions.
Severity: 2/4.
Creation date: 28/01/2013.
Identifiers: BID-59658, BID-59660, BID-59664, BID-61363, CVE-2013-4681, CVE-2013-4719, CVE-2013-4749, CVE-2013-4870, CVE-2013-5570, TYPO3-EXT-SA-2013-002, VIGILANCE-VUL-12353.

Description of the vulnerability

Several vulnerabilities were announced in TYPO3 extensions.

An attacker can inject a mail header, and trigger a Cross Site Scripting in the Tip-A-Friend Plus (tipafriend_plus) extension. [severity:2/4]

An attacker can trigger a SQL injection in the Attac Calendar (attacalendar) extension. [severity:2/4]

An attacker can trigger a SQL injection in the SEO Pack for tt_news (lonewsseo) extension. [severity:2/4; BID-59658, CVE-2013-4719]

An attacker can upload a file in the Frontend File Browser (fefilebrowser) extension. [severity:2/4]

An attacker can trigger a SQL injection in the Exinit job offer (exinit_joboffer) extension. [severity:2/4]

An attacker can trigger a SQL injection in the MySQL2JSON (mn_mysql2json) extension. [severity:2/4]

An attacker can trigger a SQL injection in the Attac Petition (attacpetition) extension. [severity:2/4]

An attacker can trigger a SQL injection in the Subscription (eu_subscribe) extension. [severity:2/4]

An attacker can trigger a SQL injection in the News Search (news_search) extension. [severity:2/4; BID-61363, CVE-2013-4870]

An attacker can bypass the authentication of the Twitter Auth Service (twitter_auth) extension. [severity:2/4]

An attacker can obtain the content of file via the From a csv-file to a html-table (kk_csv2table) extension. [severity:2/4]

An attacker can trigger a Cross Site Scripting in the Javascript and CSS Optimizer (js_css_optimizer) extension. [severity:2/4; BID-59660, CVE-2013-5570]

An attacker can trigger a Cross Site Scripting in the UserTask Center Messaging (sys_messages) extension. [severity:2/4; CVE-2013-4749]

An attacker can trigger an unserialization error in the sofortueberweisung2commerce (sofortueberweisung2commerce) extension. [severity:2/4; BID-59664, CVE-2013-4681]
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

Delicious Digg Facebook Google bookmarks LinkedIn Mail Reddit StumbleUpon Technorati Twitter 

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities announce. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.



















Copyright 1999-2014 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française