VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 7, 2011· Updated Apr 29, 2026

CVE-2010-4890

CVE-2010-4890

Description

Cross-site scripting (XSS) vulnerability in the Yet Another Calendar (ke_yac) extension before 1.1.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The ke_yac extension for TYPO3 before 1.1.2 contains a stored/reflected XSS vulnerability allowing arbitrary script injection via unspecified vectors.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Yet Another Calendar (ke_yac) extension for TYPO3 before version 1.1.2. The vulnerability allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, as indicated in the extension repository [1]. The affected versions are all releases prior to 1.1.2.

Exploitation

An attacker can trigger the XSS by sending crafted input through unspecified vector(s) in the ke_yac extension. No authentication or special privileges are required for exploitation, as the vulnerability is accessible to remote unauthenticated users who can supply malicious payloads through these vectors [1].

Impact

Successful exploitation results in arbitrary web script or HTML execution in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, depending on the attacker's payload and the user's privileges within the TYPO3 backend.

Mitigation

The vulnerability is fixed in version 1.1.2 of the ke_yac extension, available from the TYPO3 extension repository [1]. Users are advised to update to this version or later. No workarounds are provided in the available references.

References
  1. Making sure you're not a bot!

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Andreas Kiefer/Ke Yac6 versions
    cpe:2.3:a:andreas_kiefer:ke_yac:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:a:andreas_kiefer:ke_yac:*:*:*:*:*:*:*:*range: <=1.1.1
    • cpe:2.3:a:andreas_kiefer:ke_yac:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:andreas_kiefer:ke_yac:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:andreas_kiefer:ke_yac:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:andreas_kiefer:ke_yac:1.1.0:*:*:*:*:*:*:*
    • (no CPE)range: <1.1.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.