It has been discovered that the extension "Grid Elements" (gridelements) is susceptible to Cross-Site Scripting
Release Date: May 27, 2014
Third party extension. This extension is not a part of the TYPO3 default installation.
2.0.2 and below, 1.5.0 and below
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C
Failing to properly sanitize user input, the layout wizard provided by the extension gridelements is susceptible to Cross-Site Scripting. A valid backend user login with permission to access the layout wizard is required for this vulnerability to be exploited.
Updated versions 2.0.3 and 1.5.1 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/gridelements/2.0.3/
. Users of the extension are advised to update the extension as soon as possible.
Credits go to Security Team Member Georg Ringer who discovered and reported the issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce mailing list
to receive future Security Bulletins via E-mail.