DSA-2537-1 typo3-src -- severalID: oval:org.secpod.oval:def:600876 | Date: (C)2012-09-01 (M)2024-01-23 |
Class: PATCH | Family: unix |
Several vulnerabilities were discovered in TYPO3, a content management system. CVE-2012-3527 An insecure call to unserialize in the help system enables arbitrary code execution by authenticated users. CVE-2012-3528 The TYPO3 backend contains several cross-site scripting vulnerabilities. CVE-2012-3529 Authenticated users who can access the configuration module can obtain the encryption key, allowing them to escalate their privileges. CVE-2012-3530 The RemoveXSS HTML sanitizer did not remove several HTML5 JavaScript, thus failing to mitigate the impact of cross-site scripting vulnerabilities.