TYPO3-20060911-1: Cross-Site Scripting vulnerability in Indexed Search

Categories: TYPO3 CMS Created by Michael Stucki
A problem has been discovered with indexed search being vulnerable to Cross-Site-Scripting (XSS)

Component Type: System Extension
This Extension is Part of the TYPO3 default installation

Affected Components: Indexed Search

Versions: 2.9.0 under TYPO3 4.x

Vulnerability Type: Cross Site Scripting

Severity: medium

Problem Description:
The search word was not escaped correctly so a prepared URL (e.g. referenced in an email) could potentially contain some unwanted JavaScript code.

Solution:
Upgrade to TYPO3 4.0.2 or apply the Patch which is provided here: <media 799 - download>indexed search xss patch</media>

Credits:
Special thanks to Mr. Ekkehard Gümbel who pointed this one out to us, and to Mr. Ingmar Schlecht, who provided the Patch.