Security Bulletin TYPO3-20060902-1: tip-a-friend

By: Michael Hirdes

A problem has been discovered with tip-a-friend being vulnerable to Cross-Site-Scripting (XSS)

Component Type: Third Party Extension. The extension is not part of the
TYPO3 default installation

Affected Components: tipafriend

Versions:  1.2.1 and earlier

Vulnerability Type: Cross Site Scripting

Severity:low

Problem Description:
A problem has been discovered in the extension, which allows attackers to send emails in the name of the website but with a prepared URL that contains HTML content. It is not possible to inster Javascript Code.

Solution:

An updated version 1.2.2 is available in the extension repository and at typo3.org/extensions/repository/search/view/tipafriend/1.2.2

Users of the extension tipafriend are advised to update the extension immidiately.

 Credits: Special thanks to Rupert Germann, who is not the extension author, but volunteered to update the extension

---