TYPO3-EXT-SA-2015-003: Multiple vulnerabilities in Content Rating Extbase (content_rating_extbase)
January 09, 2015
Category: TYPO3 Extension
Author: Marcus Krause
Keywords: TYPO3, security, TYPO3-EXT-SA-2015-003, extension, content_rating_extbase, cross-site scripting, sql injection
It has been discovered that the extension "Content Rating Extbase" (content_rating_extbase) is susceptible to Cross-Site Scripting and SQL Injection.
Release Date: January 9, 2015
Bulletin Update: February 23, 2015 (added CVEs)
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: 2.0.3 and all versions below
Vulnerability Type: Cross-Site Scripting, SQL Injection
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C
CVE: CVE-2015-1404 (Cross-Site Scripting), CVE-2015-1405 (SQL Injection)
Problem Description: The extension fails to properly escape user input in HTML and SQL context.
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.
Credits: Credits go to Steffen Müller who discovered and reported the vulnerabilities.