Detections
Analytics

FreeBSD : typo3 -- Multiple vulernabilities in TYPO3 Core (48bcb4b2-e708-11e1-a59d-000d601460a4)

high Nessus Plugin ID 61557

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Typo Security Team reports :

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize leading to Arbitrary Code Execution.

TYPO3 Backend Help System - Due to a missing signature (HMAC) for a parameter in the view_help.php file, an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit, which can lead to arbitrary code execution. A valid backend user login or multiple successful cross site request forgery attacks are required to exploit this vulnerability.

TYPO3 Backend - Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities.

TYPO3 Backend - Accessing the configuration module discloses the Encryption Key. A valid backend user with access to the configuration module is required to exploit this vulnerability.

TYPO3 HTML Sanitizing API - By not removing several HTML5 JavaScript events, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. Failing to properly encode for JavaScript the API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site Scripting.

TYPO3 Install Tool - Failing to properly sanitize user input, the Install Tool is susceptible to Cross-Site Scripting.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?ef693360

http://www.nessus.org/u?7596f565

Plugin Details

Severity: High

ID: 61557

File Name: freebsd_pkg_48bcb4b2e70811e1a59d000d601460a4.nasl

Version: 1.5

Type: local

Published: 8/16/2012

Updated: 1/6/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:typo3, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 8/15/2012

Vulnerability Publication Date: 8/15/2012