SECURITY-BULLETIN-TYPO3-20060911-1-INDEXED-SEARCH: Security Bulletin TYPO3-20060911-1: indexed search

Categories: Security Created by Michael Hirdes
A Cross-Site-Scripting (XSS) problem has been discovered in indexed search.

Component Type: System Extension
This Extension is Part of the TYPO3 default installation

Affected Components: Indexed Search

Versions:  2.9.0 under TYPO3 4.x

Vulnerability Type: Cross Site Scripting

Severity: medium

The search word was not escaped correctly so a prepared URL (e.g. referenced in an email) could potentially contain some unwanted JavaScript code.


Upgrade to TYPO3 4.0.2 or apply the Patch which is provided on the  security team page under the Security Bulletin


Credits: Special thanks to Mr. Ekkehard Gümbel who pointed this one out to us, and to Mr. Michael Stucki, who provided the Patch.