Detections
Analytics

Debian DSA-2121-1 : typo3-src - several vulnerabilities

high Nessus Plugin ID 50024

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Several remote vulnerabilities have been discovered in TYPO3. The Common Vulnerabilities and Exposures project identifies the following problems :

 - CVE-2010-3714 Multiple remote file disclosure vulnerabilities in the jumpUrl mechanism and the Extension Manager allowed attackers to read files with the privileges of the account under which the web server was running.

 - CVE-2010-3715 The TYPO3 backend contained several cross-site scripting vulnerabilities, and the RemoveXSS function did not filter all JavaScript code.

 - CVE-2010-3716 Malicious editors with user creation permission could escalate their privileges by creating new users in arbitrary groups, due to lack of input validation in the taskcenter.

 - CVE-2010-3717 TYPO3 exposed a crasher bug in the PHP filter_var function, enabling attackers to cause the web server process to crash and thus consume additional system resources.

Solution

Upgrade the TYPO3 packages.

For the stable distribution (lenny), these problems have been fixed in version 4.2.5-1+lenny6.

See Also

https://security-tracker.debian.org/tracker/CVE-2010-3714

https://security-tracker.debian.org/tracker/CVE-2010-3715

https://security-tracker.debian.org/tracker/CVE-2010-3716

https://security-tracker.debian.org/tracker/CVE-2010-3717

https://www.debian.org/security/2010/dsa-2121

Plugin Details

Severity: High

ID: 50024

File Name: debian_DSA-2121.nasl

Version: 1.13

Type: local

Agent: unix

Published: 10/20/2010

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:typo3-src, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/19/2010

Reference Information

CVE: CVE-2010-3714, CVE-2010-3715, CVE-2010-3716, CVE-2010-3717

BID: 43786

DSA: 2121