Go to: typo3.com Home TYPO3 Association Home typo3.org Home FLOW3 Bugtracker Forge (Development Platform) News Buzz (TYPO3 Blogs) Support (Mailinglist Archive, Beta) Wiki Mailing lists

Search:

Component Type: System Extension
This Extension is Part of the TYPO3 default installation

Affected Components: Indexed Search

Versions: 2.9.0 under TYPO3 4.x

Vulnerability Type: Cross Site Scripting

Severity: medium

Problem Description:
The search word was not escaped correctly so a prepared URL (e.g. referenced in an email) could potentially contain some unwanted JavaScript code.

Solution:
Upgrade to TYPO3 4.0.2 or apply the Patch which is provided here: indexed search xss patch

Credits:
Special thanks to Mr. Ekkehard Gümbel who pointed this one out to us, and to Mr. Ingmar Schlecht, who provided the Patch.