Security Bulletins: chc_forum, th_mailformplus

By: Ekkehard Gümbel

Two security bulletins regarding the 3rd party extensions "CHC Forum" and "th_mailformplus" have been issued today. Fixed versions are available.

TYPO3-20051107-1: A bug has been discovered in the "CHC Forum" (chc_forum) extension where some Javascript expressions are not properly caught when entered in forms. Thus, specially crafted entries may be used to inject malicious code.

TYPO3-20051107-2: A weakness in the form validation of th_mailformplus has been discovered that may be abused to inject additional recipients in mail forms.

Please see the complete bulletins for details.