Go to: typo3.com Home TYPO3 Association Home typo3.org Home Certification FLOW3 Bugtracker Forge (Development Platform) News Buzz (TYPO3 Blogs) Wiki Mailing lists TYPO3 Snippets

Search:

 

Component Type: Third Party Extension. The extension is not part of the
TYPO3 default installation

 

Affected Components: chc_forum

 

Versions: 1.4.4 and earlier

Vulnerability Type: SQL injection

Severity: High

 

Problem Description:
A weakness in the display of forum messages of chc_forum has been
discovered that may be used to execute arbitrary SQL

 

Solution:
An updated version (chc_forum version 1.4.5) can be found on http://typo3.org/extensions/repository/search/chc_forum/1.4.5/ or via the Extension Manager. All users of this extension are advised to immediately install the update.

 

Credits:
Thanks to Nickolas Shardin who discovered the vulnerability, thanks to
Rupert Germann for notifying the security team, thanks to the extension
author Zach Davis for providing an updated version of the extension
immediately.