Component Type: Third party extensions. These extensions are not part of the TYPO3 default installation.
Affected Versions: pmk_rssnewsexport: All versions, cm_rdfexport: All versions
Vulnerability Type: SQL Injection
Severity: HIGH
Problem Description: Both extensions are open to SQL injection flaws because they fail to properly sanitize user-supplied input.
Solution: No fixed versions are available, so users are encouraged to remove these extensions from their TYPO3 installation. The functionality of both extensions is included in current versions of extension tt_news, therefore pmk_rssnewsexport and cm_rdfexportare are obsolete and were removed from TER. Users of the vulnerable extensions should use the RDF/RSS export functionality of tt_news instead.
General advice:
Follow the recommendations that are given in the TYPO3 SECURITY Guide.
Check the TYPO3 security bulletin page frequently for updates. The page is located at typo3.org/teams/security/security-bulletins/.
Credits: The TYPO3 Security Team wishes to thank Anders Skovsgaard from Hackavoid who discovered and reported the security issue.