Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20140905094034.GB17649@kludge.henri.nerv.fi>
Date: Fri, 5 Sep 2014 12:40:34 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: TYPO3 Security Team <security@...o3.org>
Subject: CVE request: TYPO3-EXT-SA-2013-014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can I get 2013 CVE for TYPO3-EXT-SA-2013-014, thanks. Reasoning for CVE in
information disclosure case is that this vulnerability exposes sensitive user
data.

http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2013-014/
http://osvdb.org/97812

It has been discovered that the extension "Direct Mail" (direct mail) is
susceptible to Information Disclosure.

Release Date: September 25, 2013
Affected Versions: Version 3.1.1 and below
Vulnerability Type: Information Disclosure
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:P/RL:O/RC:C
Problem Description: Failing to check authentication codes properly, direct_mail
exposes user data including the original authentication code.

Solution: An updated version 3.1.2 is available from the TYPO3 extension manager
and at http://typo3.org/extensions/repository/download/direct_mail/3.1.2/t3x/.
Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Bernhard Kraft who discovered and reported this issue. 

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlQJhRIACgkQXf6hBi6kbk/T8QCaAxtYYv2J3HQChte+F5oPqLtB
Z4kAn2YpjPfhOonCCcne9g3SYmEAmtb+
=rI3r
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.