Main Vulnerability Database Vulnerabilities #VU40969

#VU40969 Link following in TYPO3 - CVE-2014-9508

Published: January 4, 2015 / Updated: August 9, 2020

Vulnerability identifier: #VU40969

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2014-9508

CWE-ID: CWE-59

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
TYPO3

Software vendor:
TYPO3

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors.

Remediation

Install update from vendor's website.

External links

http://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-003/