TYPO3 contains a weakness related to HTML sanitizing that allows a remote cross-site scripting (XSS) attack. This flaw exists because the HTML Sanitizing API method t3lib_div::RemoveXSS() fails to properly sanitize user-supplied input upon submission to the program. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Upgrade to version 4.4.14, 4.5.14 or 4.6.7 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2012-1608 (see also: NVD)
• Secunia Advisory ID: 48647
• Bugtraq ID: 52771
• Related OSVDB ID: 80759 80760 80761
• Vendor Specific Advisory URL: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/
• Vendor Specific News/Changelog Entry: http://www.debian.org/security/2012/dsa-2445
• Mail List Post: http://www.openwall.com/lists/oss-security/2012/03/30/4

• Marc Wöhlken