It has been discovered that the extension fechangepassword is open for a SQL injection when updating the password.
Component Type: Third party extension. This extension is not part of the TYPO3 default installation
Affected Versions: Version 2.1.2 and all versions below
Vulnerability Type: SQL Injection
Problem Description: When changing the password, it is possible to post malicious data injecting the SQL update query.
Solution: An updated version is available from the TYPO3 extension manager at http://typo3.org/extensions/repository/view/fechangepassword/2.2.0/
General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook.
Credits: Credits go to Allan Jacobsen who is the author and fixed the issue.