CVE-2015-5956

2015-09-1614:59:00

CWE-79

[email protected]

web.nvd.nist.gov

cve

typo3

xss

security

vulnerability

nvd

4.8 Medium

AI Score

Confidence

High

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.065 Low

EPSS

Percentile

93.7%

JSON

The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.

CPENameOperatorVersion
typo3:typo3typo3eq6.2.1
typo3:typo3typo3eq6.2.8
typo3:typo3typo3eq6.2.0
typo3:typo3typo3eq7.0.0
typo3:typo3typo3eq6.2.4
typo3:typo3typo3eq6.0.11
typo3:typo3typo3eq6.0.1
typo3:typo3typo3eq6.1.3
typo3:typo3typo3eq6.2.5
typo3:typo3typo3eq6.0.10

CPE	Name	Operator	Version
typo3:typo3	typo3	eq	6.2.1
typo3:typo3	typo3	eq	6.2.8
typo3:typo3	typo3	eq	6.2.0
typo3:typo3	typo3	eq	7.0.0
typo3:typo3	typo3	eq	6.2.4
typo3:typo3	typo3	eq	6.0.11
typo3:typo3	typo3	eq	6.0.1
typo3:typo3	typo3	eq	6.1.3
typo3:typo3	typo3	eq	6.2.5
typo3:typo3	typo3	eq	6.0.10