Component Type: Third party extension. This extension is not part of the TYPO3 default installation.
Affected Versions: Version 1.4.2 and below, possibly also all versions of obsolete predecessor extension kj_imagelightbox
Vulnerability Type: Cross Site Scripting
Solution: An updated version 1.4.3 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/kj_imagelightbox2/1.4.3/. Users of the extension are advised to update the extension as soon as possible.
Users of the extension kj_imagelightbox, which is the predecessor of kj_imagelightbox2, should switch to kj_imagelightbox2 1.4.3 too. The predecessor might contain the same security issue, but is no longer part of TER because the extension author decided to not maintain it any longer.
Credits: Credits go to Michael Raberger, who discovered the issues. Furthermore the TYPO3 Security Team wishes to thank the extension author Julian Kleinhans for fixing the issue.