Date: Mon, 12 Nov 2012 21:47:27 +0000 (UTC) From: Rene Ladan <rene@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r307348 - head/security/vuxml Message-ID: <201211122147.qACLlRlc013066@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rene Date: Mon Nov 12 21:47:27 2012 New Revision: 307348 URL: http://svnweb.freebsd.org/changeset/ports/307348 Log: Document vulnerabilities in two typo3 components. Obtained from: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/ Feature safe: yes Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Nov 12 21:46:59 2012 (r307347) +++ head/security/vuxml/vuln.xml Mon Nov 12 21:47:27 2012 (r307348) @@ -51,6 +51,44 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="79818ef9-2d10-11e2-9160-00262d5ed8ee"> + <topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic> + <affects> + <package> + <name>typo3</name> + <range><ge>4.5.0</ge><lt>4.5.21</lt></range> + <range><ge>4.6.0</ge><lt>4.6.14</lt></range> + <range><ge>4.7.0</ge><lt>4.7.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Typo Security Team reports:</p> + <blockquote cite="http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/"> + <p>TYPO3 Backend History Module - Due to missing encoding of user + input, the history module is susceptible to SQL Injection and + Cross-Site Scripting. A valid backend login is required to exploit + this vulnerability. Credits go to Thomas Worm who discovered and + reported the issue.</p> + <p>TYPO3 Backend API - Failing to properly HTML-encode user input the + tree render API (TCA-Tree) is susceptible to Cross-Site Scripting. + TYPO3 Versions below 6.0 does not make us of this API, thus is not + exploitable, if no third party extension is installed which uses + this API. A valid backend login is required to exploit this + vulnerability. Credits go to Richard Brain who discovered and + reported the issue.</p> + </blockquote> + </body> + </description> + <references> + <url>http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/</url> + </references> + <dates> + <discovery>2012-11-08</discovery> + <entry>2012-11-12</entry> + </dates> + </vuln> + <vuln vid="a537b449-2b19-11e2-b339-90e6ba652cce"> <topic>DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211122147.qACLlRlc013066>