DSA-2445-1 typo3 -- severalID: oval:org.secpod.oval:def:600771 | Date: (C)2012-04-03 (M)2022-10-10 |
Class: PATCH | Family: unix |
Several remote vulnerabilities have been discovered in the TYPO3 web content management framework: CVE-2012-1606 Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities. CVE-2012-1607 Accessing a CLI Script directly with a browser may disclose the database name used for the TYPO3 installation. CVE-2012-1608 By not removing non printable characters, the API method t3lib_div::RemoveXSS fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting.