FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

typo -- Cross-Site Scripting

Affected packages
4.6.0 <= typo3 <= 4.6.7
4.5.0 <= typo3 <= 4.5.14
4.4.0 <= typo3 <= 4.4.14

Details

VuXML ID 67516177-88ec-11e1-9a10-0023ae8e59f0
Discovery 2012-04-17
Entry 2012-04-18

Typo Security Team reports:

Failing to properly encode the output, the default TYPO3 Exception Handler is susceptible to Cross-Site Scripting. We are not aware of a possibility to exploit this vulnerability without third party extensions being installed that put user input in exception messages. However, it has come to our attention that extensions using the extbase MVC framework can be used to exploit this vulnerability if these extensions accept objects in controller actions.

References

CVE Name CVE-2012-2112
URL https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/