Multiple vulnerabilities in extension T3BLOG (t3blog)
2010-02-01T00:00:00
ID TYPO3-SA-2010-002 Type typo3 Reporter TYPO3 Association Modified 2010-02-01T00:00:00
Description
It has been discovered that the extension T3BLOG (t3blog) is vulnerable to SQL Injection and Cross–Site Scripting.
Release Date: February 1, 2010
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: Version 0.6.2 and all versions below
Vulnerability Type: Multiple SQL Injection and Cross–Site Scripting vulnerabilities
Severity: Critical
Problem Description: The TYPO3 extension t3blog fails to sanitize parameters provided by the user through HTML forms. Therefore both SQL Injection and Cross–Site Scripting are possible in Frontend and Backend.
Solution: An updated version 0.8.0 is available from the TYPO3 extension manager and at <http://typo3.org/extensions/repository/view/t3blog/0.8.0/>. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to TYPO3 Security Team Member Marcus Krause who discovered and reported the issues and to TYPO3 Security Team Member Dmitry Dulepov who fixed the issues.
{"published": "2010-02-01T00:00:00", "id": "TYPO3-SA-2010-002", "cvss": {}, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2016-09-28T15:30:21", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-0797", "CVE-2010-0798"]}], "modified": "2016-09-28T15:30:21", "rev": 2}, "vulnersScore": 5.4}, "description": "It has been discovered that the extension T3BLOG (t3blog) is vulnerable to SQL Injection and Cross\u00e2\u20ac\u201cSite Scripting.\n\n**Release Date:** February 1, 2010\n\n**Component Type:** Third party extension. This extension is not a part of the TYPO3 default installation. \n\n**Affected Versions:** Version 0.6.2 and all versions below \n\n\n**Vulnerability Type:** Multiple SQL Injection and Cross\u00e2\u20ac\u201cSite Scripting vulnerabilities\n\n**Severity:** Critical\n\n**Problem Description:** The TYPO3 extension t3blog fails to sanitize parameters provided by the user through HTML forms. Therefore both SQL Injection and Cross\u00e2\u20ac\u201cSite Scripting are possible in Frontend and Backend.\n\n**Solution:** An updated version 0.8.0 is available from the TYPO3 extension manager and at <http://typo3.org/extensions/repository/view/t3blog/0.8.0/>. Users of the extension are advised to update the extension as soon as possible.\n\n**Credits:** Credits go to TYPO3 Security Team Member Marcus Krause who discovered and reported the issues and to TYPO3 Security Team Member Dmitry Dulepov who fixed the issues.\n\n**General advice:** Follow the recommendations that are given in the [TYPO3 Security Cookbook](<http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.pdf>). Please subscribe to the [typo3-announce mailing list](<http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce>) to receive future Security Bulletins via E-mail.\n", "type": "typo3", "lastseen": "2016-09-28T15:30:21", "edition": 1, "title": "Multiple vulnerabilities in extension T3BLOG (t3blog)", "href": "https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-sa-2010-002/", "modified": "2010-02-01T00:00:00", "bulletinFamily": "software", "viewCount": 1, "cvelist": [], "affectedSoftware": [{"version": "0.6.2", "name": "t3blog", "operator": "le"}], "references": [], "reporter": "TYPO3 Association"}
