SECURITY-BULLETIN-TYPO3-20060911-1-INDEXED-SEARCH: Security Bulletin TYPO3-20060911-1: indexed search

Component Type: System Extension
This Extension is Part of the TYPO3 default installation

Affected Components: Indexed Search

Versions:  2.9.0 under TYPO3 4.x

Vulnerability Type: Cross Site Scripting

Severity: medium

The search word was not escaped correctly so a prepared URL (e.g. referenced in an email) could potentially contain some unwanted JavaScript code.

Solution:

Upgrade to TYPO3 4.0.2 or apply the Patch which is provided on the  security team page under the Security Bulletin

Credits: Special thanks to Mr. Ekkehard Gümbel who pointed this one out to us, and to Mr. Michael Stucki, who provided the Patch.