It has been discovered that the extension "mm_forum" (mm_forum) is vulnerable to Arbitrary Code Execution, Cross-Site Scripting and Cross-Site Request Forgery
February 12, 2014
September 18, 2014 (added CVEs)
Third party extension. This extension is not a part of the TYPO3 default installation.
Version 1.9.2 and below
Arbitrary Code Execution, Cross-Site Scripting and Cross-Site Request Forgery (CSRF).
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C
CVE-2014-6297 (Cross-Site Scripting), CVE-2014-6298 (Arbitrary Code Execution), CVE-2014-6299 (CSRF)
Failing to properly sanitize user-supplied input the extension is vulnerable to Cross-Site Scripting. It was possible to upload arbitrary files as files were not checked against the file deny pattern, thus Arbitrary Code Execution was possible by uploading PHP files. Additionally it was possible to create posts on behalf of logged in users (CSRF).
An updated version 1.9.3 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/mm_forum/1.9.3/t3x/
. Users of the extension are advised to update the extension as soon as possible.
Credits go to Michael Knabe and Stano Paska who discovered and reported the issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce mailing list
to receive future Security Bulletins via E-mail.