TYPO3 modules allow SQL injection and cross-site scripting
The developers of the kj_imagelightbox2
and sg_zfelib
add-on modules for the TYPO3 open source content management system have patched security holes that allow attackers to inject SQL commands or conduct cross-site scripting attacks. The modules are all provided by third parties and are not part of the standard TYPO3 installation.
The Library for Frontend plugins (sg_zfelib
) does not filter user input, allowing SQL commands that provide attackers with read access to the database to be injected. The sg_zfelib
provides functions for other libraries, which may also be affected by the flaw. The TYPO3 developers list the following add-on components as examples:
sg_newsplus
sg_address
sg_avmedia
sg_event
sg_genealogy
sg_glossary
sg_newsletter
sg_prodprom
sg_smallads
sg_userdata
sg_filelist
sg_dictionary
The KJ:Image Lightbox v2 extension (kj_imagelightbox2
) does not filter user input, and therefore allows cross-site scripting attacks. The developers have released updated versions of both modules. Users of the plug-ins are advised to download and install these updates as soon as possible.
See also:
- Cross Site Scripting vulnerability in extension "KJ: Image Lightbox v2" (kj_imagelightbox2), security advisory from the developers of TYPO3
- SQL Injection in extension "Library for Frontend plugins" (sg_zfelib), security advisory from the developers of TYPO3
- Download the latest version of
kj_imagelightbox2
- Download the latest version of
sg_zfelib
(mba)