[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150111150752.GB6185@kludge.henri.nerv.fi>
Date: Sun, 11 Jan 2015 17:07:52 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE request: TYPO3-EXT-SA-2015-001, TYPO3-EXT-SA-2015-002,
TYPO3-EXT-SA-2015-003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Can I get CVE IDs for following vulnerabilities, thank you.
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2015-001/
It has been discovered that the extension "LDAP / SSO Authentication"
(ig_ldap_sso_auth) is susceptible to Improper Authentication.
Release Date: January 8, 2015
Bulletin Update: January 8, 2015 (Affected Versions, Severity)
Component Type: Third party extension. This extension is not a part of the TYPO3
default installation.
Affected Versions: 2.0.0
Vulnerability Type: Improper Authentication
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C
Problem Description: The extension insufficiently authenticates an user against
LDAP/AD.
Solution: Updated version 2.0.1 is available from the TYPO3 extension manager
and at
http://typo3.org/extensions/repository/download/ig_ldap_sso_auth/2.0.1/t3x/.
Credits: Credits go to Stefan Kaifer who discovered the vulnerability.
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2015-002/
It has been discovered that the extension "Content Rating" (content_rating) is
susceptible to Cross-Site Scripting and SQL Injection.
Release Date: January 9, 2015
Component Type: Third party extension. This extension is not a part of the TYPO3
default installation.
Affected Versions: 1.0.3 and all versions below
Vulnerability Type: Cross-Site Scripting, SQL Injection
Severity: High
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C
Problem Description: The extension fails to properly escape user input in HTML
and SQL context.
Solution: Versions of this extension that are known to be vulnerable will no
longer be available for download from the TYPO3 Extension Repository. The
extension author failed in providing a security fix for the reported
vulnerability in a decent amount of time. Please uninstall and delete the
extension folder from your installation.
Credits: Credits go to Steffen Müller who discovered and reported the
vulnerabilities.
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2015-003/
It has been discovered that the extension "Content Rating Extbase"
(content_rating_extbase) is susceptible to Cross-Site Scripting and SQL
Injection.
Release Date: January 9, 2015
Component Type: Third party extension. This extension is not a part of the TYPO3
default installation.
Affected Versions: 2.0.3 and all versions below
Vulnerability Type: Cross-Site Scripting, SQL Injection
Severity: High
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C
Problem Description: The extension fails to properly escape user input in HTML
and SQL context.
Solution: Versions of this extension that are known to be vulnerable will no
longer be available for download from the TYPO3 Extension Repository. The
extension author failed in providing a security fix for the reported
vulnerability in a decent amount of time. Please uninstall and delete the
extension folder from your installation.
Credits: Credits go to Steffen Müller who discovered and reported the
vulnerabilities.
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlSykcgACgkQXf6hBi6kbk87SgCfRGA6v9XYxy4G1n9AIov1hnXG
gvYAoLm1tyheuIUe00K2f4c8eC259d9m
=JFAw
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
