| Vigil@nce describes vulnerabilities impacting your systems, and offers solutions to correct them. |
|
 |
|
|
|
vulnerability note 9394
TYPO3: vulnerabilities of extensions
Synthesis of the vulnerability
| An attacker can use several vulnerabilities of TYPO3 extensions in order to generate a Cross Site Scripting or to inject SQL code. |
Severity: 2/4.
Consequences: user access/rights, client access/rights, data reading.
Provenance: internet client.
Means of attack: no proof of concept, no attack.
Ability of attacker: expert (4/4).
Confidence: confirmed by the editor (5/5).
Diffusion of the vulnerable configuration: high (3/3).
Number of vulnerabilities in this bulletin: 7.
Creation date: 01/02/2010.
|
Impacted products
Description of the vulnerability
An attacker can use several vulnerabilities of TYPO3 extensions.
An attacker can generate SQL injections and Cross Site Scriptings in the T3BLOG (t3blog) extension. [severity:2/4; BID-38030, TYPO3-SA-2010-002, >]
An attacker can generate a SQL injection in the Event Manager (eventmanagement) extension. [severity:2/4; TYPO3-SA-2010-003, >]
An attacker can generate a SQL injection in the Game Article DB (game_articledb) extension. [severity:2/4; TYPO3-SA-2010-003, >]
An attacker can generate a SQL injection and a Cross Site Scripting in the Simple career (ml_career) extension. [severity:2/4; TYPO3-SA-2010-003, >]
An attacker can generate a SQL injection in the Surprise Calendar (ml_surprisecalendar) extension. [severity:2/4; TYPO3-SA-2010-003, >]
An attacker can generate a Cross Site Scripting in the Search Api Ajax Google (searchajaxgoogle) extension. [severity:2/4; TYPO3-SA-2010-003, >]
An attacker can obtain information via the Download Manager (spr_downloadmanager) extension. [severity:1/4; TYPO3-SA-2010-003, >] |
Characteristics
Title: TYPO3: vulnerabilities of extensions
Identifiers: BID-38030, TYPO3-SA-2010-002, TYPO3-SA-2010-003, VIGILANCE-VUL-9394.
Url: https://vigilance.fr/tree/1/9394
|
Solutions for this vulnerability
Supplements
Vulnerability : T3BLOG (t3blog)
An attacker can generate SQL injections and Cross Site Scriptings in the T3BLOG (t3blog) extension.
Severity: 2/4.
Identifiers: BID-38030, TYPO3-SA-2010-002.
|
|
Vulnerability : Event Manager (eventmanagement)
An attacker can generate a SQL injection in the Event Manager (eventmanagement) extension.
Severity: 2/4.
Identifiers: TYPO3-SA-2010-003.
|
|
Vulnerability : Game Article DB (game_articledb)
An attacker can generate a SQL injection in the Game Article DB (game_articledb) extension.
Severity: 2/4.
Identifiers: TYPO3-SA-2010-003.
|
|
Vulnerability : Simple career (ml_career)
An attacker can generate a SQL injection and a Cross Site Scripting in the Simple career (ml_career) extension.
Severity: 2/4.
Identifiers: TYPO3-SA-2010-003.
|
|
Vulnerability : Surprise Calendar (ml_surprisecalendar)
An attacker can generate a SQL injection in the Surprise Calendar (ml_surprisecalendar) extension.
Severity: 2/4.
Identifiers: TYPO3-SA-2010-003.
|
|
Vulnerability : Search Api Ajax Google (searchajaxgoogle)
An attacker can generate a Cross Site Scripting in the Search Api Ajax Google (searchajaxgoogle) extension.
Severity: 2/4.
Identifiers: TYPO3-SA-2010-003.
|
|
Vulnerability : Download Manager (spr_downloadmanager)
An attacker can obtain information via the Download Manager (spr_downloadmanager) extension.
Severity: 1/4.
Identifiers: TYPO3-SA-2010-003.
|
|
|
