Non-Persistent Cross-Site Scripting in extension "Static Methods since 2007" (div2007)


It has been discovered that the extension "Static Methods since 2007" (div2007) is susceptible to Cross-Site Scripting. **Release Date:** May 31, 2016 **Component Type:** Third party extension. This extension is not a part of the TYPO3 default installation. **Affected Versions:** version 1.6.8 and below **Vulnerability Type:** Cross-Site Scripting **Severity:** Low **Suggested CVSS v2.0:** [AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C](<http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?vector=%28AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C%29&g=2&lang=en> "CVSS calculator" ) ([What's that?](<http://buzz.typo3.org/teams/security/article/use-of-common-vulnerability-scoring-system-in-typo3-security-advisories/> "Blog post on CVSS usage" )) **Problem Description:** Using an own version of the class GeneralUtility the extension div2007 is susceptible to Non-Persistent Cross-Site Scripting. Further information can be found in the [TYPO3-CORE-SA-2015-009](<https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/>) advisory. **Solution:** An updated version 1.6.9 is available from the TYPO3 Extension Manager and at <https://typo3.org/extensions/repository/download/div2007/1.6.9/t3x/>. Users of the extension are advised to update the extension as soon as possible. **Credits**: Credits go to Stephan Großberndt who discovered and reported the vulnerability. **General advice:** Follow the recommendations that are given in the [TYPO3 Security Guide](<http://docs.typo3.org/typo3cms/SecurityGuide/> "Initiates file download" ). Please subscribe to the [typo3-announce mailing list](<http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce> "Opens external link in new window" ) to receive future Security Bulletins via E-mail.

Affected Software

CPE Name Name Version
div2007 1.6.8