CVE-2015-5956: Cross-Site Scripting Vulnerability

September 16, 2015 (updated October 9, 2018)

It has been discovered, that it is possible to forge a link to a backend module, which contains a JavaScript payload. This JavaScript is executed, if an authenticated editor with access to the module follows the link that, is tricked to click on a certain HTML target. Because TYPO3 include a secret token unknown to an attacker in every URL, an exploit would not be feasible for these versions.

References

review.typo3.org/
typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/

Code Behaviors & Features

Detect and mitigate CVE-2015-5956 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →