Allele Security Alert
ASA-2019-00583, CVE-2019-16700, EXT-SA-2019-017
Event Registration (slub_events): Multiple vulnerabilities
Saxony State and University Library (SLUB) Dresden
TYPO3 extension SLUB: Event Registration (slub_events)
TYPO3 extension SLUB: Event Registration (slub_events) versions before 3.0.3
TYPO3 extension SLUB: Event Registration (slub_events) version 3.0.3
Proof of concept
The extension allows to upload arbitrary files to the webserver. For versions 1.2.2 and below, this vulnerability results in Remote Code Execution. In versions later than 1.2.2, the vulnerability can result in Denial of Service, since the webspace can be filled up with arbitrary files. The extension also includes jQuery 2.2.4 which is known to be vulnerable against Cross Site Scripting.
Multiple vulnerabilities in extension “SLUB: Event Registration” (slub_events)
[TYPO3-announce] [Ticket#201910155760000011] Vulnerabilities in multiple third party TYPO3 CMS extensions
SLUB: Event Registration
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 22, 2019