It has been discovered that the extension "http:BL Blocking" (mh_httpbl) is susceptible to SQL Injection and Cross-Site Scripting.
Release Date: May 31, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: 1.1.7 and below
Vulnerability Type: SQL injection, Cross-Site Scripting
Problem Description: Failing to properly escape user input, the extension is susceptible to SQL Injection and Cross-Site Scripting. The SQL Injection vulnerability is exploitable only by user having access to the backend module.
Solution: An updated version 1.1.8 is available from the TYPO3 extension manager and at <https://typo3.org/extensions/repository/download/mh_httpbl/1.1.8/t3x/>. Users of the extension are advised to update the extension as soon as possible.
Credits: Thanks to Wouter van Dongen who discovered and reported the vulnerability.