Component Type: Third Party Extension. The extension is not part of the
TYPO3 default installation
Affected Components: chc_forum
Versions: 1.4.4 and earlier
Vulnerability Type: SQL injection
A weakness in the display of forum messages of chc_forum has been
discovered that may be used to execute arbitrary SQL
An updated version (chc_forum version 1.4.5) can be found on http://typo3.org/extensions/repository/search/chc_forum/1.4.5/ or via the Extension Manager. All users of this extension are advised to immediately install the update.
Credits:Thanks to Nickolas Shardin who discovered the vulnerability, thanks toRupert Germann for notifying the security team, thanks to the extensionauthor Zach Davis for providing an updated version of the extensionimmediately.