Some vulnerabilities have been reported in TYPO3, which can be exploited by malicious users to conduct script insertion and SQL injection attacks, disclose sensitive information, and compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a vulnerable system.

1) Certain input passed to the click enlarge functionality is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation of this vulnerability requires that the caching framework is enabled.

2) Certain input passed to the FORM content object is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires "editor" permissions in the backend.

3) Certain input is not properly verified before being used to read files and can be exploited to bypass the "fileDenyPattern" restrictions.

4) Certain input passed to the Install Tool is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation of this vulnerability requires Install Tool credentials.

5) Certain input passed to the TypoScript file inclusion functionality is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or remote resources.

Successful exploitation of this vulnerability requires admin permissions.

6) Certain input passed to the unzip library is not properly verified before being used. This can be exploited to disclose sensitive information via directory traversal attacks.

7) Certain input passed to the list module is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires "access" permission to the the list module in the backend.

8) Certain input passed to the "escapeStrForLike()" function when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES is not properly sanitised before being used. This can be exploited to disclose certain records by injecting wildcards.

The vulnerabilities are reported in versions prior to 4.2.16, 4.3.9, or 4.4.5.

Solution
Update to versions 4.2.16, 4.3.9, or 4.4.5.

Provided and/or discovered by
3) Luca Carettoni

The vendor also credits:
1) Andreas Weber
2) Security Team Member Helmut Hummel
3) Gregor Kopf
4) Cedric Tissieres
5) Fabrizio Branca
6) Anthon Pang
7) Core Team Member Jigal van Hemert
8) Security Team Member Marcus Krause

Changelog
Further details available to Secunia VIM customers

Original Advisory
TYPO3-SA-2010-022:
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-022/

Luca Carettoni:
http://blog.nibblesec.org/2010/12/typo3-sa-2010-020-typo3-sa-2010-022.html

Deep Links
Links available to Secunia VIM customers