Component Type: Third party extension. This extension is not part of the TYPO3 default installation.
Affected Versions: Version 1.9.3 and below
Vulnerability Type: SQL Injection, Cross Site Scripting
Severity: HIGH.
We have received indications that the flaw is already being
actively exploited.
Problem Description: Some versions of the extension are exposed to SQL injection because they fail to properly sanitize user-supplied input. Besides that, some versions are not preventing Cross Site Scripting attacks properly.
Solution: An updated version is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/ve_guestbook/2.0.0/
General advice:
Follow the recommendations that are given in the TYPO3 SECURITY Guide.
Keep notice of the TYPO3 security bulletin page at typo3.org/teams/security/security-bulletins/.
Annotation: The TYPO3 Security Team wishes to clarify that we have not yet
been able to get in touch with the author, nor to accomplish a formal
review of the extension. This advisory is being published nevertheless,
because we have received indications that the flaw is already being
actively exploited.