TYPO3 Tip-A-Friend ('tipafriend') Extension Unspecified Cross Site Scripting Vulnerability

Bugtraq ID:	39475
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 14 2010 12:00AM
Updated:	Apr 14 2010 12:00AM
Credit:	Patrick Broens
Vulnerable:	Typo3 Tip-A-Friend 1.2.3
Not Vulnerable:	Typo3 Tip-A-Friend 1.2.4

TYPO3 Tip-A-Friend ('tipafriend') Extension Unspecified Cross Site Scripting Vulnerability

The TYPO3 Tip-A-Friend ('tipafriend') extension is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Versions prior to Tip-A-Friend 1.2.4 are vulnerable.

TYPO3 Tip-A-Friend ('tipafriend') Extension Unspecified Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting user into following a malicious URI.

TYPO3 Tip-A-Friend ('tipafriend') Extension Unspecified Cross Site Scripting Vulnerability

Solution:
Updates are available. Pleases see the references for more information.


Typo3 Tip-A-Friend 1.2.3

• Typo3 tipafriend_1.2.4.t3x
  http://typo3.org/fileadmin/ter/t/i/tipafriend_1.2.4.t3x

TYPO3 Tip-A-Friend ('tipafriend') Extension Unspecified Cross Site Scripting Vulnerability

References:

• Synnefoims Homepage (synnefoims)
  
• TYPO3 Security Bulletin TYPO3-SA-2010-010: Vulnerabilitiy in extension Tip-A-Fri (TYPO3)