Package: typo3-src Severity: critical Tags: security Version: 4.5.4+dfsg1-1
Component Type: TYPO3 Core Affected Versions: 4.5.0 - 4.5.5 Release Date: September 14, 2011 Vulnerable subcomponent: Database API Vulnerability Type: SQL Injection Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly replace parameter values, the usage of prepared statements could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input. We carefully analysed the usage of prepared queries in the TYPO3 Core and found that it is not exploitable. We are also not aware of any extension in the TER that uses this feature in a exploitable way. Nevertheless all users of TYPO3 4.5.x are adviced to update their installations as soon as possible. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
