A header injection problem has been found in the extension tipafriend
Component Type: Third party extension. The extension is not part of the
TYPO3 default installation
Affected Versions: 1.2.2 and earlier
Vulnerability Type: Header Injection
Severity: *HIGH** *
A problem has been discovered in the extension, which allows attackers to send arbitrary mail headers and similar, which can lead to misuse of the extension.
An updated version 1.2.3 is available in the extension repository and at typo3.org/extensions/repository/view/tipafriend/1.2.3/
Users of the extension tipafriend are advised to update the extensionimmediately.
Follow the recommendations that are given in the TYPO3 Security Cookbook.
Thanks to security team members Thorsten Kahler and Andreas Otto, who discovered the issue and provided a fix when reporting it to the security team.