SECURITY-BULLETIN-TYPO3-20060902-1-TIP-A-FRIEND: Security Bulletin TYPO3-20060902-1: tip-a-friend

Categories: Security Created by Michael Hirdes
A problem has been discovered with tip-a-friend being vulnerable to Cross-Site-Scripting (XSS)

Component Type: Third Party Extension. The extension is not part of the
TYPO3 default installation

Affected Components: tipafriend

Versions:  1.2.1 and earlier

Vulnerability Type: Cross Site Scripting


Problem Description:

A problem has been discovered in the extension, which allows attackers to send emails in the name of the website but with a prepared URL that contains HTML content. It is not possible to inster Javascript Code.


An updated version 1.2.2 is available in the extension repository and at

Users of the extension tipafriend are advised to update the extension immidiately.

 Credits: Special thanks to Rupert Germann, who is not the extension author, but volunteered to update the extension