[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-12-30 3:43:30
Message-ID: 50DFB862.8040101 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd like to get these CVE's assigned. can someone from Typo3 please
reply? Thanks.


On 12/10/2012 02:32 PM, Kurt Seifried wrote:
> TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core 
> https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/
>
>  I'm a little confused because multiple issues are listed together
> with a single CVSS2 score/etc.
> 
> Can the Typo3 security team please confirm the following:
> 
>> Component Type: TYPO3 Core Affected Versions: 4.5.0 up to
>> 4.5.20, 4.6.0 up to 4.6.13, 4.7.0 up
> to 4.7.5 and development releases of the 6.0 branch.
>> Vulnerability Types: SQL Injection, Cross-Site Scripting,
> Information Disclosure
> 
> so no CVE's needed for this, this is simply a summary of the below
> issues?
> 
>> Vulnerable subcomponent: TYPO3 Backend History Module
>> Vulnerability Type: SQL Injection, Cross-Site Scripting Solution:
>> Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
> fix the problem described!
>> Credits: Credits go to Thomas Worm who discovered and reported
>> the
> issue.
> 
> Did he discover both the SQL Injection and the Cross-Site
> Scripting issues? Can you provide a link to the specific code
> fixes?
> 
> so 2 cve's needed correct?
> 
>> Vulnerable subcomponent: TYPO3 Backend History Module
>> Vulnerability Type: Information Disclosure
> Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
> fix the problem described!
>> Credits: Credits go to Core Team Member Oliver Hader who 
>> discovered
> and fixed the issue.
> 
> so one cve needed here? Can you provide a link to the specific code
> fixes?
> 
>> Vulnerable subcomponent: TYPO3 Backend API Vulnerability Type: 
>> Cross-Site Scripting Solution: Update to the TYPO3 version
>> 4.5.21, 4.6.14 or 4.7.6 that
> fix the problem described!
>> Credits: Credits go to Johannes Feustel who discovered and 
>> reported
> the issue.
> 
> so one cve needed here? Can you provide a link to the specific code
> fixes?
> 
>> Vulnerability Type: Cross-Site Scripting Solution: Update to the 
>> TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
> fix the problem described!
>> Credits: Credits go to Richard Brain who discovered and reported 
>> the
> issue.
> 
> so one cve needed here? Can you provide a link to the specific code
> fixes?
> 
> Thanks for confirming this.
> 
> 

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ37hiAAoJEBYNRVNeJnmTSSIP/3j+b//bo3KybxbZg6aCck70
BdWtiCxK12ytFCIc8oddg5EP1d5sFfZ0+STnpJJiO/OK0yLs1rrZ4SuAenlBv3cn
Ig3m8ZlNCAThGviaeDVV+C7xc/glOo4ze3DJZ0pXbBMJCxI4Gnpi3AVT2xbi5oBG
Hd/oC1v4iaZqKudBFGwO2g+vucXz3+EuRgwYBHee33RaDhwwAbYMR7JbBr9bVidZ
0vhn109UTn/kD6X0RgCeQWfUInoTPEVLh+tMoy10edOws5QFCQVMt3rQ7t9Yy7Sv
Iy9H4mZY4mn+kM0iBgHjQrv65KNTnhWShipuWueg0DfPwOkuXkDOOfBKhlWBKNs1
fOapfQ3x3pW9nnpPQ0tDzYWg7z4piWx0uZ8Yl+zwz8qi/uwCGcyDTRFNWDkIfbXi
ArVteT2BVbXq025ESJgHhYnCEPXHJQ2UXJuuPz2zWClTAk0kT2rmE2lUm1XM/3lY
wjFqZA1M0sxtEspoNwYWYMe9EKr4WHU1OIWp3Jo8wUtqHoJY4pvZq34gOYU+4/9d
mWdHnJmsbZ3O3v1joBh3oTxPMN70FEazLfUp/kDb6lKWV2vq70zcGugvp5HPGo3j
kPRfnuBsR4ZZC5pa86xfPsmLAkoI0HgTgfpzUt04FSyzncYOMBhRJlirnRjwcCt3
dlxv+NXn42tyOTMPhYSR
=HEQq
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]