TYPO3-20081113-2: Cross-Site Scripting vulnerability in TYPO3 Core

Categories: TYPO3 CMS
It has been discovered that the frontend plugin of system extension "felogin" is vulnerable to Cross-Site Scripting (XSS).

Component Type: TYPO3 Core

Affected Versions: TYPO3 versions 4.2.0, 4.2.1 and 4.2.2

Vulnerability Type: Cross Site Scripting

Vulnerability: The frontend plugin of system extension "felogin" is susceptible to Cross-Site Scripting.

Severity: Medium

Problem Description: Failing to filter user input, the system extension is susceptible to Cross-Site Scripting making it possible to execute arbitrary JavaScript.

Note: This vulnerability can be exploited to execute arbitrary JavaScript by tricking a website user into following a specially crafted link. Users of system extension felogin are strongly advised to update their TYPO3 version. TYPO3 versions below 4.2.x are not vulnerable!

Solution: Update to TYPO3 version 4.2.3 that fixes the issue described.

Credits: Credits go to Dirk Hoffmann who reported the issue. The TYPO3 Security Team also wishes to thank TYPO3 Core Team members Dmitry Dulepov and Steffen Kamper for fixing the issue.