Search...

CVE-2015-1402

2015-02-03T16:59:00

ID CVE-2015-1402
Type cve
Reporter cve@mitre.org
Modified 2015-02-04T05:23:00

Description

Cross-site scripting (XSS) vulnerability in the Content Rating extension 1.0.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

JSON Vulners Source

Initial Source

{"id": "CVE-2015-1402", "bulletinFamily": "NVD", "title": "CVE-2015-1402", "description": "Cross-site scripting (XSS) vulnerability in the Content Rating extension 1.0.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "published": "2015-02-03T16:59:00", "modified": "2015-02-04T05:23:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1402", "reporter": "cve@mitre.org", "references": ["http://www.openwall.com/lists/oss-security/2015/01/11/7", "http://www.securityfocus.com/bid/71984", "http://www.openwall.com/lists/oss-security/2015/01/27/31", "http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2015-002/"], "cvelist": ["CVE-2015-1402"], "type": "cve", "lastseen": "2020-12-09T20:03:01", "edition": 5, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "typo3", "idList": ["TYPO3-EXT-SA-2015-002"]}], "modified": "2020-12-09T20:03:01", "rev": 2}, "score": {"value": 4.1, "vector": "NONE", "modified": "2020-12-09T20:03:01", "rev": 2}, "vulnersScore": 4.1}, "cpe": ["cpe:/a:content_rating_project:content_rating:1.0.3"], "affectedSoftware": [{"cpeName": "content_rating_project:content_rating", "name": "content rating project content rating", "operator": "le", "version": "1.0.3"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:content_rating_project:content_rating:1.0.3:*:*:*:*:typo3:*:*"], "cwe": ["CWE-79"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:content_rating_project:content_rating:1.0.3:*:*:*:*:typo3:*:*", "versionEndIncluding": "1.0.3", "vulnerable": true}], "operator": "OR"}]}}

{"typo3": [{"lastseen": "2016-09-28T15:30:28", "bulletinFamily": "software", "cvelist": ["CVE-2015-1403", "CVE-2015-1402"], "edition": 1, "description": "It has been discovered that the extension \"Content Rating\" (content_rating) is susceptible to Cross-Site Scripting and SQL Injection.\n\n**Release Date:** January 9, 2015\n\n**Bulletin Update:** February 23, 2015 (added CVEs)\n\n**Component Type:** Third party extension. This extension is not a part of the TYPO3 default installation.\n\n**Affected Versions:** 1.0.3 and all versions below\n\n**Vulnerability Type:** Cross-Site Scripting, SQL Injection\n\n**Severity:** High\n\n**Suggested CVSS v2.0:** AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C\n\n**CVE:** CVE-2015-1402 (Cross-Site Scripting), CVE-2015-1403 (SQL Injection)\n\n**Problem Description:** The extension fails to properly escape user input in HTML and SQL context.\n\n**Solution:** Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.\n\n**Credits:** Credits go to Steffen M\u00fcller who discovered and reported the vulnerabilities.\n\n**General advice:** Follow the recommendations that are given in the [TYPO3 Security Guide](<http://docs.typo3.org/typo3cms/SecurityGuide/> \"Initiates file download\" ). Please subscribe to the [typo3-announce mailing list](<http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce> \"Opens external link in new window\" ) to receive future Security Bulletins via E-mail.\n", "modified": "2015-01-09T00:00:00", "published": "2015-01-09T00:00:00", "id": "TYPO3-EXT-SA-2015-002", "href": "https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2015-002/", "type": "typo3", "title": "Multiple vulnerabilities in Content Rating (content_rating)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}