TYPO3 Share Your Car Extension Unspecified Cross Site Scripting and SQL Injection Vulnerabilities
BID:52149
Info
TYPO3 Share Your Car Extension Unspecified Cross Site Scripting and SQL Injection Vulnerabilities
| Bugtraq ID: | 52149 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 23 2012 12:00AM |
| Updated: | Feb 23 2012 12:00AM |
| Credit: | Georg Ringer |
| Vulnerable: |
Typo3 Share Your Car 2.0.0 |
| Not Vulnerable: | |
Discussion
TYPO3 Share Your Car Extension Unspecified Cross Site Scripting and SQL Injection Vulnerabilities
TYPO3 Share Your Car (cc20) extension is prone to unspecified SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
TYPO3 Share Your Car 2.0.0 is vulnerable.
TYPO3 Share Your Car (cc20) extension is prone to unspecified SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
TYPO3 Share Your Car 2.0.0 is vulnerable.
Exploit / POC
TYPO3 Share Your Car Extension Unspecified Cross Site Scripting and SQL Injection Vulnerabilities
An attacker can exploit the SQL-injection issue with a browser. To exploit a cross-site scripting issue the attacker must entice an unsuspecting victim to follow a malicious URI.
An attacker can exploit the SQL-injection issue with a browser. To exploit a cross-site scripting issue the attacker must entice an unsuspecting victim to follow a malicious URI.
Solution / Fix
TYPO3 Share Your Car Extension Unspecified Cross Site Scripting and SQL Injection Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
TYPO3 Share Your Car Extension Unspecified Cross Site Scripting and SQL Injection Vulnerabilities
References:
References: