Hi, SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of TYPO3 extensions in order to generate a Cross Site Scripting or to inject SQL code. Severity: 2/4 Consequences: user access/rights, client access/rights, data reading Provenance: internet client Means of attack: no proof of concept, no attack Ability of attacker: expert (4/4) Confidence: confirmed by the editor (5/5) Diffusion of the vulnerable configuration: high (3/3) Number of vulnerabilities in this bulletin: 7 Creation date: 01/02/2010 IMPACTED PRODUCTS [image: -] TYPO3 DESCRIPTION OF THE VULNERABILITY An attacker can use several vulnerabilities of TYPO3 extensions. An attacker can generate SQL injections and Cross Site Scriptings in the T3BLOG (t3blog) extension. [grav:2/4; BID-38030, TYPO3-SA-2010-002] An attacker can generate a SQL injection in the Event Manager (eventmanagement) extension. [grav:2/4; TYPO3-SA-2010-003] An attacker can generate a SQL injection in the Game Article DB (game_articledb) extension. [grav:2/4; TYPO3-SA-2010-003] An attacker can generate a SQL injection and a Cross Site Scripting in the Simple career (ml_career) extension. [grav:2/4; TYPO3-SA-2010-003] An attacker can generate a SQL injection in the Surprise Calendar (ml_surprisecalendar) extension. [grav:2/4; TYPO3-SA-2010-003] An attacker can generate a Cross Site Scripting in the Search Api Ajax Google (searchajaxgoogle) extension. [grav:2/4; TYPO3-SA-2010-003] An attacker can obtain information via the Download Manager (spr_downloadmanager) extension. [grav:1/4; TYPO3-SA-2010-003] CHARACTERISTICS Identifiers: BID-38030, TYPO3-SA-2010-002, TYPO3-SA-2010-003, VIGILANCE-VUL-9394 -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
