It has been discovered that the extension "Calendar Base" (cal) is susceptible to Denial of Service.
October 17, 2014
October 18, 2014 (added CVE)
Third party extension. This extension is not a part of the TYPO3 default installation.
all versions of 0.x.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x; 1.5.8 and below of 1.5.x; 1.6.0
Denial of Service
Suggested CVSS v2.0:
User input is passed to PHP's PCRE library without validating it beforehand. Depending on user input this may consume a tremendous amount of system resources.
Updated versions 1.5.9 (for TYPO3 CMS 4.5.5 - 6.0.99) and 1.6.1 (for TYPO3 CMS 6.1.0 - 6.2.99) are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/cal/1.6.1/t3x/
. Users of the extension are advised to update the extension as soon as possible.
Credits go to Daniel Hahler and Bernd Schuhmacher who discovered and reported the issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce mailing list
to receive future Security Bulletins via E-mail.