FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  318877
Date:      2013-05-23
Time:      15:30:07Z
Committer: flo

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
79818ef9-2d10-11e2-9160-00262d5ed8ee	typo3 -- Multiple vulnerabilities in TYPO3 Core Typo Security Team reports: TYPO3 Backend History Module - Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. Credits go to Thomas Worm who discovered and reported the issue. TYPO3 Backend API - Failing to properly HTML-encode user input the tree render API (TCA-Tree) is susceptible to Cross-Site Scripting. TYPO3 Versions below 6.0 does not make us of this API, thus is not exploitable, if no third party extension is installed which uses this API. A valid backend login is required to exploit this vulnerability. Credits go to Richard Brain who discovered and reported the issue. Discovery 2012-11-08 Entry 2012-11-12 typo3 ge 4.5.0 lt 4.5.21 ge 4.6.0 lt 4.6.14 ge 4.7.0 lt 4.7.6 http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/
48bcb4b2-e708-11e1-a59d-000d601460a4	typo3 -- Multiple vulernabilities in TYPO3 Core Typo Security Team reports: It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize leading to Arbitrary Code Execution. TYPO3 Backend Help System - Due to a missing signature (HMAC) for a parameter in the view_help.php file, an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit, which can lead to arbitrary code execution. A valid backend user login or multiple successful cross site request forgery attacks are required to exploit this vulnerability. TYPO3 Backend - Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities. TYPO3 Backend - Accessing the configuration module discloses the Encryption Key. A valid backend user with access to the configuration module is required to exploit this vulnerability. TYPO3 HTML Sanitizing API - By not removing several HTML5 JavaScript events, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. Failing to properly encode for JavaScript the API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site Scripting. TYPO3 Install Tool - Failing to properly sanitize user input, the Install Tool is susceptible to Cross-Site Scripting. Discovery 2012-08-15 Entry 2012-08-15 typo3 ge 4.5.0 lt 4.5.19 ge 4.6.0 lt 4.6.12 ge 4.7.0 lt 4.7.4 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/

VuXML ID

Description

79818ef9-2d10-11e2-9160-00262d5ed8ee

typo3 -- Multiple vulnerabilities in TYPO3 Core

Typo Security Team reports:

TYPO3 Backend History Module - Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. Credits go to Thomas Worm who discovered and reported the issue.

TYPO3 Backend API - Failing to properly HTML-encode user input the tree render API (TCA-Tree) is susceptible to Cross-Site Scripting. TYPO3 Versions below 6.0 does not make us of this API, thus is not exploitable, if no third party extension is installed which uses this API. A valid backend login is required to exploit this vulnerability. Credits go to Richard Brain who discovered and reported the issue.

Discovery 2012-11-08
Entry 2012-11-12
typo3

ge 4.5.0 lt 4.5.21

ge 4.6.0 lt 4.6.14

ge 4.7.0 lt 4.7.6

http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/

48bcb4b2-e708-11e1-a59d-000d601460a4

typo3 -- Multiple vulernabilities in TYPO3 Core

Typo Security Team reports:

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize leading to Arbitrary Code Execution.

TYPO3 Backend Help System - Due to a missing signature (HMAC) for a parameter in the view_help.php file, an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit, which can lead to arbitrary code execution. A valid backend user login or multiple successful cross site request forgery attacks are required to exploit this vulnerability.

TYPO3 Backend - Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities.

TYPO3 Backend - Accessing the configuration module discloses the Encryption Key. A valid backend user with access to the configuration module is required to exploit this vulnerability.

TYPO3 HTML Sanitizing API - By not removing several HTML5 JavaScript events, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. Failing to properly encode for JavaScript the API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site Scripting.

TYPO3 Install Tool - Failing to properly sanitize user input, the Install Tool is susceptible to Cross-Site Scripting.

Discovery 2012-08-15
Entry 2012-08-15
typo3

ge 4.5.0 lt 4.5.19

ge 4.6.0 lt 4.6.12

ge 4.7.0 lt 4.7.4

https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/