CVSS: 6.1EPSS: 0%CPEs: 39EXPL: 0CVE-2015-8757
https://notcve.org/view.php?id=CVE-2015-8757
Cross-site scripting (XSS) vulnerability in the Extension Manager in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to extension data during an extension installation. Vulnerabilidad de XSS en el Extension Manager en TYPO3 6.2.x en versiones anteriores a 6.2.16 y 7.x en versiones anteriores a 7.6.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados relacionados con datos de extensión durante una intalación de extensión. • http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-010 http://www.securityfocus.com/bid/79254 http://www.securitytracker.com/id/1034482 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 4%CPEs: 48EXPL: 0CVE-2015-5956 – Typo3 CMS 6.2.14 / 4.5.40 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-5956
The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php. Vulnerabilidad en la función sanitizeLocalUrl en TYPO3 6.x en versiones anteriores a 6.2.15, 7.x en versiones anteriores a 7.4.0, 4.5.40 y versiones anteriores, permite a usuarios remotos autenticados eludir el filtro XSS y realizar ataques de XSS a través de un URI de datos codificados en base64, según lo demostrado por el (1) parámetro returnUrl en show_rechis.php y (2) parámetro redirect_url en index.php. Typo3 CMS versions 6.2.14 and below and 4.5.40 and below suffer from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/133551/Typo3-CMS-6.2.14-4.5.40-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Sep/57 http://www.securityfocus.com/archive/1/536464/100/0/threaded http://www.securitytracker.com/id/1033551 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •