TYPO3-20060902-1: tip-a-friend

A problem has been discovered with tip-a-friend being vulnerable to Cross-Site-Scripting (XSS)

Component Type: Third Party Extension. The extension is not part of the
TYPO3 default installation

Affected Components: tipafriend

Versions:  1.2.1 and earlier

Vulnerability Type: Cross Site Scripting


Problem Description:

A problem has been discovered in the extension, which allows attackers to send emails in the name of the website but with a prepared URL that contains HTML content. It is not possible to insert Javascript Code.


An updated version 1.2.2 is available in the extension repository and at typo3.org/extensions/repository/search/tipafriend/1.2.2/

Users of the extension tipafriend are advised to update the extension immidiately.

 Credits: Special thanks to Rupert Germann, who is not the extension author, but volunteered to update the extension