CVE-2012-1080

Vulnerability

The Euro Calculator extension for TYPO3 (skt_eurocalc) version 0.0.1 is vulnerable to a cross-site scripting (XSS) issue. The vulnerability exists in the extension's handling of data from unspecified input parameters, allowing arbitrary HTML and script injection. The extension is a third-party component not part of the TYPO3 default installation [1].

Exploitation

An attacker can exploit this by crafting a malicious URL or form input containing injected script code. The attack does not require prior authentication, only that a victim user loads a page where the vulnerable extension processes attacker-controlled input. The exact parameters involved are not detailed in the reference, but typical vectors involve GET or POST parameters accepted by the extension's frontend plugin [1].

Impact

Successful exploitation leads to execution of arbitrary web script or HTML in the browser context of the victim user. This can result in session token theft, credential harvesting, or defacement, depending on the attacker's payload. The attack affects the confidentiality and integrity of the victim's interaction with the TYPO3 site, but does not directly compromise the server itself [1].

Mitigation

The TYPO3 Security Team's collective advisory notes that no fix was provided by the extension author; the vulnerable version 0.0.1 was removed from the TYPO3 Extension Repository. Administrators should uninstall or disable the skt_eurocalc extension immediately. There is no patched version available [1].