CVE-2015-5956
published 2015-09-16CVE-2015-5956: The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and…
PriorityP414low3.5CVSS 2.0
AVNACMAuSCNIPAN
EPSS
2.01%
78.4th percentile
The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.
Affected
49 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms | 4.0 – 4.5.40 | — |
| typo3 | cms | >= 6.0 < 6.2.15 | 6.2.15 |
| typo3 | cms | >= 7.0 < 7.4.0 | 7.4.0 |
| typo3 | typo3 | <= 4.5.40 | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
TYPO3 cross-site scripting (XSS)
osv·2022-05-14
CVE-2015-5956 [LOW] TYPO3 cross-site scripting (XSS)
TYPO3 cross-site scripting (XSS)
The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.
GHSA
TYPO3 cross-site scripting (XSS)
ghsa·2022-05-14
CVE-2015-5956 [LOW] CWE-79 TYPO3 cross-site scripting (XSS)
TYPO3 cross-site scripting (XSS)
The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133551/Typo3-CMS-6.2.14-4.5.40-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2015/Sep/57http://www.securityfocus.com/archive/1/536464/100/0/threadedhttp://www.securitytracker.com/id/1033551https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/http://packetstormsecurity.com/files/133551/Typo3-CMS-6.2.14-4.5.40-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2015/Sep/57http://www.securityfocus.com/archive/1/536464/100/0/threadedhttp://www.securitytracker.com/id/1033551https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/
2015-09-16
Published