Description
The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors.
References (2)
Core 2
Core References
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html
Exploit, Vendor Advisory x_refsource_confirm
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-003/
Scores
EPSS
0.0029
EPSS Percentile
52.4%
Details
CWE
CWE-59
Status
published
Products (50)
typo3/cms
4.5.0 - 4.5.39Packagist
typo3/typo3
4.5.0
typo3/typo3
4.5.1
typo3/typo3
4.5.2
typo3/typo3
4.5.3
typo3/typo3
4.5.4
typo3/typo3
4.5.5
typo3/typo3
4.5.6
typo3/typo3
4.5.7
typo3/typo3
4.5.8
... and 40 more
Published
Jan 04, 2015
Tracked Since
Feb 18, 2026