SB2016010805 - Multiple vulnerabilities in TYPO3
Published: January 8, 2016 Updated: November 18, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2015-8759)
Vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site scripting (CVE-ID: CVE-2015-8758)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via unknown vectors. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site scripting (CVE-ID: CVE-2015-8757)
Vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in the Extension Manager in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Cross-site scripting (CVE-ID: CVE-2015-8755)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via unknown vectors. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/
- http://www.securityfocus.com/bid/79250
- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/
- http://www.securityfocus.com/bid/79240
- http://www.securitytracker.com/id/1034484
- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-010/
- http://www.securityfocus.com/bid/79254
- http://www.securitytracker.com/id/1034482
- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-011/
- http://www.securityfocus.com/bid/79236
- http://www.securitytracker.com/id/1034483