TYPO3-20070801-1: Multiple vulnerabilities in extension ve_guestbook

It has been discovered that the extension ve_guestbook is vulnerable to SQL Injection attacks. Also, a Cross Site Scripting issue has been detected.

Component Type: Third party extension. This extension is not part of the TYPO3 default installation.

Affected Versions: Version 1.9.3 and below

Vulnerability Type: SQL Injection, Cross Site Scripting

Severity: HIGH.
We have received indications that the flaw is already being
actively exploited.

Problem Description: Some versions of the extension are exposed to SQL injection because they fail to properly sanitize user-supplied input. Besides that, some versions are not preventing Cross Site Scripting attacks properly.

Solution: An updated version is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/ve_guestbook/2.0.0/

General advice:
Follow the recommendations that are given in the TYPO3 SECURITY Guide.
Keep notice of the TYPO3 security bulletin page at typo3.org/teams/security/security-bulletins/.

Annotation: The TYPO3 Security Team wishes to clarify that we have not yet
been able to get in touch with the author, nor to accomplish a formal
review of the extension. This advisory is being published nevertheless,
because we have received indications that the flaw is already being
actively exploited.