Low severityNVD Advisory· Published Sep 16, 2015· Updated May 6, 2026
CVE-2015-5956
CVE-2015-5956
Description
The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cmsPackagist | >= 6.0, < 6.2.15 | 6.2.15 |
typo3/cmsPackagist | >= 7.0, < 7.4.0 | 7.4.0 |
typo3/cmsPackagist | >= 4.0, <= 4.5.40 | — |
Affected products
48cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*+ 47 more
- cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*range: <=4.5.40
- cpe:2.3:a:typo3:typo3:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.3.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-989h-wv8x-933pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-5956ghsaADVISORY
- typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/nvdVendor Advisory
- packetstormsecurity.com/files/133551/Typo3-CMS-6.2.14-4.5.40-Cross-Site-Scripting.htmlnvdWEB
- seclists.org/fulldisclosure/2015/Sep/57nvdWEB
- www.securityfocus.com/archive/1/536464/100/0/threadednvdWEB
- www.securitytracker.com/id/1033551nvdWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2015-5956.yamlghsaWEB
- typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009ghsaWEB
News mentions
0No linked articles in our index yet.