Package: typo3-src
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for typo3-src.

CVE-2012-2112[0]:
| Failing to properly encode the output, the default TYPO3 Exception Handler is 
| susceptible to Cross-Site Scripting.
| We are not aware of a possibilty to exploit this vulnerability without third 
| party extensions being installed that put user input in exception messages.
| However it has come to our attention that extensions using the extbase MVC 
| framework can be used to exploit this vulnerability if these extensions 
accept 
| objects in controller actions.
| In general and especially when in doubt if the above conditions are met, we 
| highly recommend users of affected versions to update as soon as possible.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2112
    http://security-tracker.debian.org/tracker/CVE-2012-2112
    
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/

-- 
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpjFsFwbhYh7.pgp
Description: PGP signature

Reply via email to