Several vulnerabilities were reported in plugins for TYPO3:
- sb_akronymmanager: SQL injection via the "id" parameter of the "ext/sb_akronymmanager/mod1/index.php" page (CVE-2015-2803)
- BE User Log: cross-site scripting
- Frontend User Upload: arbitrary code execution
- wt_directory: SQL injection
- Smoelenboek: SQL injection
- Store Locator: SQL injection
- Developer Log: SQL injection. In order to exploit this vulnerability, the attacker must have permissions to access to the module
- Frequently Asked Questions: SQL injection
- Job Fair: arbitrary code execution.
A proof of concept is available for the CVE-2015-2803 vulnerability.
Vulnerable Products
Vulnerable Software: Typo3 (Typo3)
Solution
New versions of the following plugins fix these vulnerabilities:- sb_akronymmanager: 7.0.0 - wt_directory: 1.4.2- Smoelenboek: 1.0.9- Store Locator: 3.3.1- Developer Log: 2.11.4- Frequently Asked Questions: 1.2.1- Job Fair: 1.0.1.The following plugins are end-of-life. It is recommended to uninstall them:- BE User Log- Frontend User Upload.
