CVE-2014-9508: Improper Link Resolution Before File Access ('Link Following')

May 17, 2022 (updated August 16, 2023)

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors.

References

lists.opensuse.org/opensuse-updates/2016-08/msg00106.html
typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-003/
github.com/advisories/GHSA-v6xv-rmqc-wcc8
nvd.nist.gov/vuln/detail/CVE-2014-9508

Code Behaviors & Features

Detect and mitigate CVE-2014-9508 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →