TYPO3-FLOW-SA-2013-001: Cross-Site Scripting in TYPO3 Flow

It has been discovered that TYPO3 Flow is susceptible to Cross-Site Scripting.
Component Type: TYPO3 Flow Affected Versions: 1.1.0, 2.0.0 and current development branch. Release Date: December 10, 2013 Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: <link http: jvnrss.ise.chuo-u.ac.jp jtg cvss _blank>AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C (<link http: buzz.typo3.org teams security article use-of-common-vulnerability-scoring-system-in-typo3-security-advisories _blank post on cvss>What's that?) CVE: CVE-2013-7082 Problem Description: The errorAction method in the ActionController base class of Flow returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Flow driven applications. Hint: If you have customized the error action in your Flow application, we advice you to check that the error messages returned in these actions only contain static strings and are not derived from any kind of user input. If you are not sure whether your code is fine in that regard, feel free to ask on a public mailing list or the forum. Solution: Update to Flow Versions 1.1.1 or 2.0.1 which fix the problem described! Note: The same problem applies to the Extbase Framework in TYPO3. Read the according advisory <link http: typo3.org teams security security-bulletins typo3-core typo3-core-sa-2013-004>TYPO3-CORE-SA-2013-004 for more information. General Advice: Please subscribe to the <link http: lists.typo3.org cgi-bin mailman listinfo typo3-announce>typo3-announce mailing list.