TYPO3-20070710-1: SQL Injection in fechangepassword

It has been discovered that the extension fechangepassword is open for a SQL injection when updating the password.

Component Type: Third party extension. This extension is not part of the TYPO3 default installation

Affected Versions: Version 2.1.2 and all versions below

Vulnerability Type: SQL Injection

Severity: HIGH

Problem Description: When changing the password, it is possible to post malicious data injecting the SQL update query.

Solution: An updated version is available from the TYPO3 extension manager at typo3.org/extensions/repository/view/fechangepassword/2.2.0/

General advice: Follow the recommendations that are given in the TYPO3 SECURITY Guide.

Credits: Credits go to Allan Jacobsen who is the author and fixed the issue.