CVE-2008-5800 - SQL Injection vulnerability in Typo3 Fsmi People and WIR BER UNS Extension

Publication

2008-12-31

Last modification

2017-08-08

Summary

SQL injection vulnerability in the Wir ber uns [sic] (fsmi_people) extension 0.0.24 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Description

The 'Wir ber uns' (fsmi_people) extension for TYPO3 is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.These issues affect fsmi_people 0.0.24; other versions may also be affected.

Solution

The vendor has released an update. Please see the references for more information. Andreas Cord-Landwehr Wir ber uns 0.0.24 Andreas Cord-Landwehr fsmi_people_0.0.25.t3x http://typo3.org/fileadmin/ter/f/s/fsmi_people_0.0.25.t3x

Exploit

An attacker can exploit these issues via a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.

Classification

CWE-89 - SQL Injection

Risk level (CVSS AV:N/AC:L/Au:N/C:P/I:P/A:P)

High

7.5

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products