Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability note 9394

TYPO3: vulnerabilities of extensions

Synthesis of the vulnerability

An attacker can use several vulnerabilities of TYPO3 extensions in order to generate a Cross Site Scripting or to inject SQL code.
Severity: 2/4.
Creation date: 01/02/2010.

Description of the vulnerability

An attacker can use several vulnerabilities of TYPO3 extensions.

An attacker can generate SQL injections and Cross Site Scriptings in the T3BLOG (t3blog) extension. [severity:2/4; BID-38030, TYPO3-SA-2010-002, >]

An attacker can generate a SQL injection in the Event Manager (eventmanagement) extension. [severity:2/4; TYPO3-SA-2010-003, >]

An attacker can generate a SQL injection in the Game Article DB (game_articledb) extension. [severity:2/4; TYPO3-SA-2010-003, >]

An attacker can generate a SQL injection and a Cross Site Scripting in the Simple career (ml_career) extension. [severity:2/4; TYPO3-SA-2010-003, >]

An attacker can generate a SQL injection in the Surprise Calendar (ml_surprisecalendar) extension. [severity:2/4; TYPO3-SA-2010-003, >]

An attacker can generate a Cross Site Scripting in the Search Api Ajax Google (searchajaxgoogle) extension. [severity:2/4; TYPO3-SA-2010-003, >]

An attacker can obtain information via the Download Manager (spr_downloadmanager) extension. [severity:1/4; TYPO3-SA-2010-003, >]

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: TYPO3: vulnerabilities of extensions.
Keywords: Ajax Api Article Calendar Cross Download Event Game Google Manager SQL Scripting Scriptings Search Simple Site Surprise T3BLOG TYPO3 TYPO3-SA-2010-002 TYPO3-SA-2010-003 extensions game_articledb ml_career ml_surprisecalendar spr_downloadmanager t3blog vulnerabilities.
Identifiers: BID-38030, TYPO3-SA-2010-002, TYPO3-SA-2010-003, VIGILANCE-VUL-9394.

Solutions for this vulnerability

Patch or workaround

Supplements

Vulnerability : T3BLOG (t3blog)

An attacker can generate SQL injections and Cross Site Scriptings in the T3BLOG (t3blog) extension.
Severity: 2/4.
Identifiers: BID-38030, TYPO3-SA-2010-002.
Publications and announces
Source example: TYPO3 Security Bulletin TYPO3-SA-2010-002: Multiple SQL Injection and Cross-Site Scripting vulnerabilities in extension "T3BLOG" (t3blog)

Vulnerability : Event Manager (eventmanagement)

An attacker can generate a SQL injection in the Event Manager (eventmanagement) extension.
Severity: 2/4.
Identifiers: TYPO3-SA-2010-003.
Publications and announces
Source example: TYPO3 Collective Security Bulletin TYPO3-SA-2010-003: Several vulnerabilities in third party extensions

Vulnerability : Game Article DB (game_articledb)

An attacker can generate a SQL injection in the Game Article DB (game_articledb) extension.
Severity: 2/4.
Identifiers: TYPO3-SA-2010-003.
Publications and announces
Source example: TYPO3 Collective Security Bulletin TYPO3-SA-2010-003: Several vulnerabilities in third party extensions

Vulnerability : Simple career (ml_career)

An attacker can generate a SQL injection and a Cross Site Scripting in the Simple career (ml_career) extension.
Severity: 2/4.
Identifiers: TYPO3-SA-2010-003.
Publications and announces
Source example: TYPO3 Collective Security Bulletin TYPO3-SA-2010-003: Several vulnerabilities in third party extensions

Vulnerability : Surprise Calendar (ml_surprisecalendar)

An attacker can generate a SQL injection in the Surprise Calendar (ml_surprisecalendar) extension.
Severity: 2/4.
Identifiers: TYPO3-SA-2010-003.
Publications and announces
Source example: TYPO3 Collective Security Bulletin TYPO3-SA-2010-003: Several vulnerabilities in third party extensions

Vulnerability : Search Api Ajax Google (searchajaxgoogle)

An attacker can generate a Cross Site Scripting in the Search Api Ajax Google (searchajaxgoogle) extension.
Severity: 2/4.
Identifiers: TYPO3-SA-2010-003.
Publications and announces
Source example: TYPO3 Collective Security Bulletin TYPO3-SA-2010-003: Several vulnerabilities in third party extensions

Vulnerability : Download Manager (spr_downloadmanager)

An attacker can obtain information via the Download Manager (spr_downloadmanager) extension.
Severity: 1/4.
Identifiers: TYPO3-SA-2010-003.
Publications and announces
Source example: TYPO3 Collective Security Bulletin TYPO3-SA-2010-003: Several vulnerabilities in third party extensions

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer vulnerabilities tracking service



















France Télécom Copyright 1999-2010 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française