VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 25, 2010· Updated Apr 29, 2026

CVE-2010-3715

CVE-2010-3715

Description

Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the RemoveXSS function, and allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (2) the backend.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/cms-backendPackagist
>= 4.2.0, < 4.2.154.2.15
typo3/cms-backendPackagist
>= 4.3.0, < 4.3.74.3.7
typo3/cms-backendPackagist
>= 4.4.0, < 4.4.44.4.4

Affected products

27
  • TYPO3/Typo326 versions
    cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*+ 25 more
    • cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.10:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.11:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.12:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.13:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.14:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.2.9:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.4.3:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:composer/typo3/cms-backend
    Range: >= 4.2.0, < 4.2.15

Patches

3
38ec239a35d5

Fixed bug #15461: RemoveXSS exposes XSS vulnerability for double encoded characters (thanks to Marcus Krause)

https://github.com/TYPO3/typo3Oliver HaderOct 6, 2010via ghsa
commit
2 files changed · +10 4
  • ChangeLog+4 0 modified
    @@ -1,3 +1,7 @@
+2010-10-06  Oliver Hader  <oliver@typo3.org>
+
+	* Fixed bug #15461: RemoveXSS exposes XSS vulnerability for double encoded characters (thanks to Marcus Krause)
+
 2010-10-04  Stanislas Rolland  <typo3@sjbr.ca>
 
 	* Fixed bug #15880: htmlArea RTE: Context menu not working in TYPO3 4.4.3 and 4.5-dev
  • typo3/contrib/RemoveXSS/RemoveXSS.php+6 4 modified
    @@ -59,10 +59,12 @@ public static function process($val, $replaceString = '<x>') {
 
 		// straight replacements, the user should never need these since they're normal characters
 		// this prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
-		$search = '/&#[xX]0{0,8}(21|22|23|24|25|26|27|28|29|2a|2b|2d|2f|30|31|32|33|34|35|36|37|38|39|3a|3b|3d|3f|40|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|5b|5c|5d|5e|5f|60|61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|7b|7c|7d|7e);?/ie';
-		$val = preg_replace($search, "chr(hexdec('\\1'))", $val);
-		$search = '/&#0{0,8}(33|34|35|36|37|38|39|40|41|42|43|45|47|48|49|50|51|52|53|54|55|56|57|58|59|61|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126);?/ie';
-		$val = preg_replace($search, "chr('\\1')", $val);
+		$searchHexEncodings = '/&#[xX]0{0,8}(21|22|23|24|25|26|27|28|29|2a|2b|2d|2f|30|31|32|33|34|35|36|37|38|39|3a|3b|3d|3f|40|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|5b|5c|5d|5e|5f|60|61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|7b|7c|7d|7e);?/ie';
+		$searchUnicodeEncodings = '/&#0{0,8}(33|34|35|36|37|38|39|40|41|42|43|45|47|48|49|50|51|52|53|54|55|56|57|58|59|61|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126);?/ie';
+		while (preg_match($searchHexEncodings, $val) || preg_match($searchUnicodeEncodings, $val)) {
+			$val = preg_replace($searchHexEncodings, "chr(hexdec('\\1'))", $val);
+			$val = preg_replace($searchUnicodeEncodings, "chr('\\1')", $val);
+		}
 
 		// now the only remaining whitespace attacks are \t, \n, and \r
 		$ra1 = array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
ce47d8dcdc2c

Fixed bug #15461: RemoveXSS exposes XSS vulnerability for double encoded characters (thanks to Marcus Krause)

https://github.com/TYPO3/typo3Oliver HaderOct 6, 2010via ghsa
commit
2 files changed · +7 4
  • ChangeLog+1 0 modified
    @@ -1,6 +1,7 @@
 2010-10-06  Oliver Hader  <oliver@typo3.org>
 
 	* Fixed bug #13650: Information disclosure in sys_actions (DB mount, usergroups) (thanks to Georg Ringer)
+	* Fixed bug #15461: RemoveXSS exposes XSS vulnerability for double encoded characters (thanks to Marcus Krause)
 
 2010-09-30  Francois Suter  <francois@typo3.org>
  • typo3/contrib/RemoveXSS/RemoveXSS.php+6 4 modified
    @@ -59,10 +59,12 @@ public static function process($val, $replaceString = '<x>') {
 
 		// straight replacements, the user should never need these since they're normal characters
 		// this prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
-		$search = '/&#[xX]0{0,8}(21|22|23|24|25|26|27|28|29|2a|2b|2d|2f|30|31|32|33|34|35|36|37|38|39|3a|3b|3d|3f|40|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|5b|5c|5d|5e|5f|60|61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|7b|7c|7d|7e);?/ie';
-		$val = preg_replace($search, "chr(hexdec('\\1'))", $val);
-		$search = '/&#0{0,8}(33|34|35|36|37|38|39|40|41|42|43|45|47|48|49|50|51|52|53|54|55|56|57|58|59|61|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126);?/ie';
-		$val = preg_replace($search, "chr('\\1')", $val);
+		$searchHexEncodings = '/&#[xX]0{0,8}(21|22|23|24|25|26|27|28|29|2a|2b|2d|2f|30|31|32|33|34|35|36|37|38|39|3a|3b|3d|3f|40|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|5b|5c|5d|5e|5f|60|61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|7b|7c|7d|7e);?/ie';
+		$searchUnicodeEncodings = '/&#0{0,8}(33|34|35|36|37|38|39|40|41|42|43|45|47|48|49|50|51|52|53|54|55|56|57|58|59|61|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126);?/ie';
+		while (preg_match($searchHexEncodings, $val) || preg_match($searchUnicodeEncodings, $val)) {
+			$val = preg_replace($searchHexEncodings, "chr(hexdec('\\1'))", $val);
+			$val = preg_replace($searchUnicodeEncodings, "chr('\\1')", $val);
+		}
 
 		// now the only remaining whitespace attacks are \t, \n, and \r
 		$ra1 = array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
aba23d6f1277

Fixed bug #15461: RemoveXSS exposes XSS vulnerability for double encoded characters (thanks to Marcus Krause)

https://github.com/TYPO3/typo3Oliver HaderOct 6, 2010via ghsa
commit
2 files changed · +7 4
  • ChangeLog+1 0 modified
    @@ -1,6 +1,7 @@
 2010-10-06  Oliver Hader  <oliver@typo3.org>
 
 	* Fixed bug #13650: Information disclosure in sys_actions (DB mount, usergroups) (thanks to Georg Ringer)
+	* Fixed bug #15461: RemoveXSS exposes XSS vulnerability for double encoded characters (thanks to Marcus Krause)
 
 2010-09-24  Steffen Gebert  <steffen@steffen-gebert.de>
  • typo3/contrib/RemoveXSS/RemoveXSS.php+6 4 modified
    @@ -58,10 +58,12 @@ function process($val, $replaceString = '<x>') {
 
 		// straight replacements, the user should never need these since they're normal characters
 		// this prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
-		$search = '/&#[xX]0{0,8}(21|22|23|24|25|26|27|28|29|2a|2b|2d|2f|30|31|32|33|34|35|36|37|38|39|3a|3b|3d|3f|40|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|5b|5c|5d|5e|5f|60|61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|7b|7c|7d|7e);?/ie';
-		$val = preg_replace($search, "chr(hexdec('\\1'))", $val);
-		$search = '/&#0{0,8}(33|34|35|36|37|38|39|40|41|42|43|45|47|48|49|50|51|52|53|54|55|56|57|58|59|61|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126);?/ie';
-		$val = preg_replace($search, "chr('\\1')", $val);
+		$searchHexEncodings = '/&#[xX]0{0,8}(21|22|23|24|25|26|27|28|29|2a|2b|2d|2f|30|31|32|33|34|35|36|37|38|39|3a|3b|3d|3f|40|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|5b|5c|5d|5e|5f|60|61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|7b|7c|7d|7e);?/ie';
+		$searchUnicodeEncodings = '/&#0{0,8}(33|34|35|36|37|38|39|40|41|42|43|45|47|48|49|50|51|52|53|54|55|56|57|58|59|61|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126);?/ie';
+		while (preg_match($searchHexEncodings, $val) || preg_match($searchUnicodeEncodings, $val)) {
+			$val = preg_replace($searchHexEncodings, "chr(hexdec('\\1'))", $val);
+			$val = preg_replace($searchUnicodeEncodings, "chr('\\1')", $val);
+		}
 
 		// now the only remaining whitespace attacks are \t, \n, and \r
 		$ra1 = array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.