Component Type: Third party extension. The extension is not part of the
TYPO3 default installation
Affected Versions: 1.2.2 and earlier
Vulnerability Type: Header Injection
Severity: HIGH
Problem Description:
A problem has been discovered in the extension, which allows attackers to send arbitrary mail headers and similar, which can lead to misuse of the extension.
Solution:
An updated version 1.2.3 is available in the extension repository and at typo3.org/extensions/repository/view/tipafriend/1.2.3/
Users of the extension tipafriend are advised to update the extensionimmediately.
General advice:
Follow the recommendations that are given in the TYPO3 SECURITY Guide.
Credits:
Thanks to security team members Thorsten Kahler and Andreas Otto, who discovered the issue and provided a fix when reporting it to the security team.