Debian DSA-2537-1 : typo3-src - several vulnerabilities

medium Nessus Plugin ID 61735

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in TYPO3, a content management system.

- CVE-2012-3527 An insecure call to unserialize in the help system enables arbitrary code execution by authenticated users.

- CVE-2012-3528 The TYPO3 backend contains several cross-site scripting vulnerabilities.

- CVE-2012-3529 Authenticated users who can access the configuration module can obtain the encryption key, allowing them to escalate their privileges.

- CVE-2012-3530 The RemoveXSS HTML sanitizer did not remove several HTML5 JavaScript, thus failing to mitigate the impact of cross-site scripting vulnerabilities.

Solution

Upgrade the typo3-src packages.

For the stable distribution (squeeze), these problems have been fixed in version 4.3.9+dfsg1-1+squeeze5.

See Also

https://security-tracker.debian.org/tracker/CVE-2012-3527

https://security-tracker.debian.org/tracker/CVE-2012-3528

https://security-tracker.debian.org/tracker/CVE-2012-3529

https://security-tracker.debian.org/tracker/CVE-2012-3530

https://packages.debian.org/source/squeeze/typo3-src

https://www.debian.org/security/2012/dsa-2537

Plugin Details

Severity: Medium

ID: 61735

File Name: debian_DSA-2537.nasl

Version: 1.10

Type: local

Agent: unix

Published: 8/31/2012

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:typo3-src, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 8/30/2012

Reference Information

CVE: CVE-2012-3527, CVE-2012-3528, CVE-2012-3529, CVE-2012-3530, CVE-2012-3531

BID: 55052

DSA: 2537