PT-2015-7096 · Typo3 · Typo3

Julien Ahrens

Published

2015-09-16

Updated

2022-05-14

CVE-2015-5956

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions TYPO3 versions 4.5.40 and earlier TYPO3 versions 6.x through 6.2.14 TYPO3 versions 7.x through 7.3.x

Description The issue allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI. This can be achieved by exploiting the returnUrl parameter to show rechis.php and the redirect url parameter to index.php.

Recommendations For TYPO3 versions 4.5.40 and earlier, update to version 4.5.41 or later. For TYPO3 versions 6.x through 6.2.14, update to version 6.2.15 or later. For TYPO3 versions 7.x through 7.3.x, update to version 7.4.0 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2015-5956

GHSA-989H-WV8X-933P

Affected Products

Typo3

PT-2015-7096 · Typo3 · Typo3

CVE-2015-5956

Weakness Enumeration

Related Identifiers

Affected Products

References · 9