Component Type: Third party extensions. These extensions are not part of the TYPO3 default installation
Affected Versions: Affected is macina_banners (version 1.4.0 and below)
and its descendant ric_rotation (version 1.9.9 and below).
For clarification: ww_macinabanners is not affected.
Vulnerability Type: SQL injection
Severity: HIGH (exploitations have been reported, so it is supposed to be "in the wild")
Problem Description: These extensions are exposed to an SQL injection issue because it fails to properly sanitize user-supplied input.
Solution: Updated versions are available from the TYPO3 extension manager and at
Users of these extensions are strongly advised to update the extension immediately.
Follow the recommendations that are given in the TYPO3 SECURITY Guide.
Credits: Credits go to Jan Radecker who discovered this issue and to Wolfgang Becker and Clemens Riccabona who immediately fixed their extensions.