=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN158
_____________________________________________________________________

DATE                      : 06/05/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running powermail with TYPO3.

======================================================================
http://typo3.org/teams/security/security-bulletins/typo3-20080505-2/
______________________________________________________________________

TYPO3 Security Bulletin TYPO3-20080505-2: Cross Site vulnerability in 
extension powermail

Component Type: Third party extension. This extension is not part of the
TYPO3 default installation.

Affected Versions: Version 1.1.9 and all versions below

Vulnerability Type: Cross Site Scripting

Severity: Medium

Problem Description: Failing to filter user input the extension is
susceptible to Cross Site Scripting (XSS), making it possible to execute
arbitrary JavaScript.

Solution: An updated version is available from the TYPO3 extension
manager and at http://typo3.org/extensions/repository/view/powermail/1.1.10/

General advice: Follow the recommendations that are given in the TYPO3
Security Cookbook. Please subscribe to the typo3-announce mailing list
to receive future Security Bulletins via E-mail.

Credits: Credits go to security team member Marcus Krause, who
discovered the issue. Furthermore the TYPO3 Security Team wishes to
thank the authors Alexander Kellner and Mischa Heissmann. After being
informed by the TYPO3 Security Team about the presence of a security
issue, they have fixed the issue quickly.



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================