Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
typo3TYPO3 AssociationTYPO3-20070919-1
HistoryJan 29, 2007 - 12:00 a.m.

Multiple vulnerabilities in extension mm_forum

2007-01-2900:00:00
TYPO3 Association
typo3.org
15
JSON

It has been discovered that the extension mm_forum is vulnerable to multiple SQL Injection attacks and multiple XSS flaws alongside other vulnerabilities.

Component Type: Third party extension. This extension is not part of the TYPO3 default installation.

**Affected Versions:**Version 0.1.2 and all versions below.

Vulnerability Type: SQL Injection, Cross Site Scripting.

Severity: HIGH.

Problem Description: The extension is open to multiple SQL injections and Cross Site Scripting flaws because it fails to properly sanitize user-supplied input.

Please note that the TYPO3 Security Team has not done a complete review of the extension, due to lack of time and funding for this.

Please contact the TYPO3 Security Team if you are able to donate money to our work, i.e. reviewing this extension.

So****lution: An updated version is available from the TYPO3 extension manager and at
http://typo3.org/extensions/repository/view/mm_forum/0.1.3/

General advice:
Follow the recommendations that are given in the <media 800 - external-link-new-window>TYPO3 Security Cookbook</media>.
Keep notice of the TYPO3 security bulletin page at http://typo3.org/teams/security/security-bulletins/.

Credits: The TYPO3 Security Team wishes to thank the guys at Mittwald CM Service. After being informed by the TYPO3 Security Team about the presence of multiple security issues, they have fixed the issues quickly, and also reviewed the full code of mm_forum, to eliminate further security issues.

CPENameOperatorVersion
mm_forumle0.1.2
JSON