Franz G. Jahn

**Name of the Vulnerable Software and Affected Versions** Typo3 Core versions 4.5.0 through 4.5.5 **Description** The issue is related to the use of prepared statements in Typo3 Core, which could lead to a SQL Injection vulnerability if parameter values are not properly replaced. This can be exploited when two or more parameters are bound to a query and at least two of these parameters come from user input. **Recommendations** For Typo3 Core versions 4.5.0 through 4.5.5, ensure that all parameter values are properly replaced to prevent SQL Injection. As a temporary workaround, consider restricting user input for queries with multiple bound parameters until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TYPO3 External links click statistics (outstats) extension version 0.0.3 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For versions 0.0.3 and earlier, update to a version later than 0.0.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TYPO3 Front End User Registration (sr feuser register) extension versions prior to 2.6.2 **Description** The issue allows remote attackers to obtain user names and passwords via the edit perspective or autologin feature. **Recommendations** For versions prior to 2.6.2, update to version 2.6.2 or later to resolve the issue.