Component Type: Third Party Extension. The extension is not part of the
TYPO3 default installation
Affected Components: tipafriend
Versions: 1.2.1 and earlier
Vulnerability Type: Cross Site Scripting
Severity:low
Problem Description:
A problem has been discovered in the extension, which allows attackers to send emails in the name of the website but with a prepared URL that contains HTML content. It is not possible to insert Javascript Code.
Solution:
An updated version 1.2.2 is available in the extension repository and at typo3.org/extensions/repository/search/tipafriend/1.2.2/
Users of the extension tipafriend are advised to update the extension immidiately.
Credits: Special thanks to Rupert Germann, who is not the extension author, but volunteered to update the extension