Component Type: Third party extension. This extension is not part of the TYPO3 default installation
Affected Versions: Version 2.1.2 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Problem Description: When changing the password, it is possible to post malicious data injecting the SQL update query.
Solution: An updated version is available from the TYPO3 extension manager at typo3.org/extensions/repository/view/fechangepassword/2.2.0/
General advice: Follow the recommendations that are given in the TYPO3 SECURITY Guide.
Credits: Credits go to Allan Jacobsen who is the author and fixed the issue.