SB2016010804 - Multiple vulnerabilities in TYPO3

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2015-8760)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The Flvplayer component in TYPO3 6.2.x before 6.2.16 allows remote attackers to embed Flash videos from external domains via unspecified vectors, aka "Cross-Site Flashing."

2) Cross-site scripting (CVE-ID: CVE-2015-8756)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in the search result view in the Indexed Search (indexed_search) component in TYPO3 6.2.x before 6.2.16. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-014/
• http://www.securityfocus.com/bid/79210
• http://www.securitytracker.com/id/1034485
• http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-015/
• http://www.securitytracker.com/id/1034486