CVE-2009-0257

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in TYPO3 versions 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 [1]. The flaws are present in the Indexed Search Engine (indexed_search) system extension via the name and content of indexed files; in unspecified test scripts within the ADOdb system extension; and through unspecified vectors in the Workspace module. These issues allow injection of arbitrary web script or HTML [1].

Exploitation

An attacker can exploit these XSS vulnerabilities remotely without authentication. The attack requires the victim to interact with a malicious link or content that triggers the injection in the affected TYPO3 components. Specifically, the attacker must craft a request that includes injected script as the name or content of an indexed file, or via the ADOdb test scripts or Workspace module vectors. Successful exploitation occurs when the victim visits a page that renders the injected data [1].

Impact

Successful exploitation allows a remote attacker to execute arbitrary web script or HTML in the context of the affected site, potentially leading to session hijacking, defacement, or theft of sensitive data such as credentials. The impact is limited to the browser session and the trust level of the authenticated user, but can be used to perform actions on behalf of the victim [1].

Mitigation

TYPO3 released updated versions 4.0.10, 4.1.8, and 4.2.4 to fix these issues [1]. Users should upgrade to the latest available version or apply the security patches provided by the vendor. No workaround is documented in the available references. As of the publication date, the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

[1]: http://secunia.com/advisories/33679