ID 67516177-88EC-11E1-9A10-0023AE8E59F0 Type freebsd Reporter FreeBSD Modified 2012-04-17T00:00:00
Description
Typo Security Team reports:
Failing to properly encode the output, the default TYPO3
Exception Handler is susceptible to Cross-Site Scripting. We
are not aware of a possibility to exploit this vulnerability
without third party extensions being installed that put user
input in exception messages. However, it has come to our
attention that extensions using the extbase MVC framework can
be used to exploit this vulnerability if these extensions
accept objects in controller actions.
{"reporter": "FreeBSD", "published": "2012-04-17T00:00:00", "cvelist": ["CVE-2012-2112"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.6.0", "packageFilename": "UNKNOWN", "packageName": "typo3", "arch": "noarch", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.6.7", "packageFilename": "UNKNOWN", "packageName": "typo3", "arch": "noarch", "operator": "le"}], "title": "typo -- Cross-Site Scripting", "objectVersion": "1.2", "type": "freebsd", "href": "https://vuxml.freebsd.org/freebsd/67516177-88ec-11e1-9a10-0023ae8e59f0.html", "bulletinFamily": "unix", "hashmap": [{"hash": "984e38fcba092de0ff16eb145c6ce810", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "fc37eaf9f66874d4412da97d2cdff59b", "key": "cvelist"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "766194e36c6586de198a2befca0abbf4", "key": "description"}, {"hash": "32c258949bb006c048fd8682965d55f3", "key": "href"}, {"hash": "344514ace4d1c80a7f13dedf20761595", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "344514ace4d1c80a7f13dedf20761595", "key": "published"}, {"hash": "56784d51283f5934a7ba7cfde48d5617", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "08f16b0f485a4f598a14fd12e1aa64cd", "key": "title"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "cfcd208495d565ef66e7dff9f98764da", "key": "viewCount"}], "history": [], "enchantments": {"vulnersScore": 4.3}, "modified": "2012-04-17T00:00:00", "hash": "d256c6fa4f606fbf4f95ab5b5032ee3ac9e218c4d9dff9d5209f23e7f18a595d", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "viewCount": 1, "edition": 1, "description": "\nTypo Security Team reports:\n\nFailing to properly encode the output, the default TYPO3\n\t Exception Handler is susceptible to Cross-Site Scripting. We\n\t are not aware of a possibility to exploit this vulnerability\n\t without third party extensions being installed that put user\n\t input in exception messages. However, it has come to our\n\t attention that extensions using the extbase MVC framework can\n\t be used to exploit this vulnerability if these extensions\n\t accept objects in controller actions.\n\n", "references": ["https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/"], "id": "67516177-88EC-11E1-9A10-0023AE8E59F0", "lastseen": "2016-09-26T17:24:38"}
{"result": {"cve": [{"id": "CVE-2012-2112", "type": "cve", "title": "CVE-2012-2112", "description": "Cross-site scripting (XSS) vulnerability in the Exception Handler in TYPO3 4.4.x before 4.4.15, 4.5.x before 4.5.15, 4.6.x before 4.6.8, and 4.7 allows remote attackers to inject arbitrary web script or HTML via exception messages.", "published": "2012-08-27T17:55:01", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2112", "cvelist": ["CVE-2012-2112"], "lastseen": "2017-08-29T12:17:37"}], "openvas": [{"id": "OPENVAS:71260", "type": "openvas", "title": "Debian Security Advisory DSA 2455-1 (typo3-src)", "description": "The remote host is missing an update to typo3-src\nannounced via advisory DSA 2455-1.", "published": "2012-04-30T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=71260", "cvelist": ["CVE-2012-2112"], "lastseen": "2017-07-24T12:50:54"}, {"id": "OPENVAS:71275", "type": "openvas", "title": "FreeBSD Ports: typo3", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2012-04-30T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=71275", "cvelist": ["CVE-2012-2112"], "lastseen": "2017-07-02T21:10:40"}, {"id": "OPENVAS:136141256231071260", "type": "openvas", "title": "Debian Security Advisory DSA 2455-1 (typo3-src)", "description": "The remote host is missing an update to typo3-src\nannounced via advisory DSA 2455-1.", "published": "2012-04-30T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071260", "cvelist": ["CVE-2012-2112"], "lastseen": "2018-04-06T11:18:46"}, {"id": "OPENVAS:136141256231071275", "type": "openvas", "title": "FreeBSD Ports: typo3", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2012-04-30T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071275", "cvelist": ["CVE-2012-2112"], "lastseen": "2018-04-06T11:18:08"}, {"id": "OPENVAS:1361412562310803999", "type": "openvas", "title": "TYPO3 Exception Handler Cross Site Scripting Vulnerability", "description": "This host is installed with TYPO3 and is prone to cross site scripting\nvulnerability.", "published": "2014-01-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803999", "cvelist": ["CVE-2012-2112"], "lastseen": "2017-07-26T08:48:28"}], "nessus": [{"id": "DEBIAN_DSA-2455.NASL", "type": "nessus", "title": "Debian DSA-2455-1 : typo3-src - missing input sanitization", "description": "Helmut Hummel of the TYPO3 security team discovered that TYPO3, a web content management system, is not properly sanitizing output of the exception handler. This allows an attacker to conduct cross-site scripting attacks if either third-party extensions are installed that do not sanitize this output on their own or in the presence of extensions using the extbase MVC framework which accept objects to controller actions.", "published": "2012-04-23T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=58817", "cvelist": ["CVE-2012-2112"], "lastseen": "2017-10-29T13:44:18"}, {"id": "FREEBSD_PKG_6751617788EC11E19A100023AE8E59F0.NASL", "type": "nessus", "title": "FreeBSD : typo -- XSS (67516177-88ec-11e1-9a10-0023ae8e59f0)", "description": "Typo Security Team reports :\n\nFailing to properly encode the output, the default TYPO3 Exception Handler is susceptible to Cross-Site Scripting. We are not aware of a possibility to exploit this vulnerability without third party extensions being installed that put user input in exception messages.\nHowever, it has come to our attention that extensions using the extbase MVC framework can be used to exploit this vulnerability if these extensions accept objects in controller actions.", "published": "2012-04-19T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=58790", "cvelist": ["CVE-2012-2112"], "lastseen": "2017-10-29T13:46:12"}], "typo3": [{"id": "TYPO3-CORE-SA-2012-002", "type": "typo3", "title": "Cross-Site Scripting Vulnerability in TYPO3 Core", "description": "It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting.\n\n**Component Type:** TYPO3 Core\n\n**Affected Versions:** 4.4.0 up to 4.4.14, 4.5.0 up to 4.5.14, 4.6.0 up to 4.6.7 and development releases of the 4.7 branch.\n\n## Vulnerable subcomponent: Exception Handler\n\n**Vulnerability Type:** Cross-Site Scripting \n\n**Severity:** Medium\n\n**Suggested CVSS v2.0:** [AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C](<http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?vector=%28AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C%29&g=3&lang=en> \"CVSS calculator\" ) ([What's that?](<http://buzz.typo3.org/teams/security/article/use-of-common-vulnerability-scoring-system-in-typo3-security-advisories/> \"Blog post on CVSS usage\" ))\n\n**CVE:** CVE-2012-2112 ([What's that?](<http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>))\n\n**Problem Description: **Failing to properly encode the output, the default TYPO3 Exception Handler is susceptible to Cross-Site Scripting. \nWe are not aware of a possibilty to exploit this vulnerability without third party extensions being installed that put user input in exception messages. \nHowever it has come to our attention that extensions using the extbase MVC framework can be used to exploit this vulnerability if these extensions accept objects in controller actions. \nIn general and especially when in doubt if the above conditions are met, we highly recommend users of affected versions to update as soon as possible. \n\n\n**Imortant Note:** In case you have configured your own exception handler for TYPO3 you need to make sure that the exception messages are properly encoded within this exception handler before they are presented. \n\n**Solution:** Update to the TYPO3 versions 4.4.15, 4.5.15 or 4.6.8 that fix the problem described! \n\n**Credits:** Credits go to Security Team Member Helmut Hummel who discovered and reported the issue.\n\n## \n\n**General Advice:** Follow the recommendations that are given in the [TYPO3 Security Guide](<http://typo3.org/extension-manuals/doc_guide_security/current/> \"Opens external link in new window\" ). Please subscribe to the [typo3-announce](<http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce> \"Subscribe to the typo3-announce mailing list\" ) mailing list.\n", "published": "2012-04-17T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/", "cvelist": ["CVE-2012-2112"], "lastseen": "2016-09-28T15:30:35"}], "debian": [{"id": "DSA-2455", "type": "debian", "title": "typo3-src -- missing input sanitization", "description": "Helmut Hummel of the TYPO3 security team discovered that TYPO3, a web content management system, is not properly sanitizing output of the exception handler. This allows an attacker to conduct cross-site scripting attacks if either third-party extensions are installed that do not sanitize this output on their own or in the presence of extensions using the extbase MVC framework which accept objects to controller actions.\n\nFor the stable distribution (squeeze), this problem has been fixed in version 4.3.9+dfsg1-1+squeeze4.\n\nFor the testing (wheezy) and unstable (sid) distributions, this problem will be fixed soon.\n\nWe recommend that you upgrade your typo3-src packages.", "published": "2012-04-20T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://www.debian.org/security/dsa-2455", "cvelist": ["CVE-2012-2112"], "lastseen": "2016-09-02T18:30:30"}]}}
