Release Date: August 18, 2009
Component Type: Third party extension. This extension is not part of the TYPO3 default installation.
Affected Versions: Version 0.2.4 and below.
Vulnerability Type: (Blind) SQL Injection
Severity: HIGH
Problem Description: Failing to properly sanitize user-supplied input, the extension is open to SQL Injection attacks. In case the "personalized salutations" frontend plugin is used, any website user could exploit this vulnerability.
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. At the time of writing, we don't know of a security update of the extension regarding the existing vulnerability, since we have been unable to get in contact with the author. For the time being please uninstall this extension and delete all files belonging to it from your TYPO3 installation.
General advice: Follow the recommendations that are given in the TYPO3 SECURITY Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Credits: Credits go to Mario Rimann who discovered and reported the issue.