Medium severity5.4NVD Advisory· Published Jan 8, 2016· Updated May 6, 2026
CVE-2015-8756
CVE-2015-8756
Description
Cross-site scripting (XSS) vulnerability in the search result view in the Indexed Search (indexed_search) component in TYPO3 6.2.x before 6.2.16 allows remote authenticated editors to inject arbitrary web script or HTML via unspecified vectors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cmsPackagist | >= 6.2.0, < 6.2.16 | 6.2.16 |
Affected products
29cpe:2.3:a:typo3:typo3:6.2:*:*:*:*:*:*:*+ 28 more
- cpe:2.3:a:typo3:typo3:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.9:*:*:*:*:*:*:*
Patches
17e4bdf489881[SECURITY] XSS in search results
1 file changed · +1 −1
typo3/sysext/indexed_search/Classes/Controller/SearchFormController.php+1 −1 modified@@ -691,7 +691,7 @@ public function getDisplayResults($sWArr, $resData, $freeIndexUid = -1) { $content .= '<p' . $this->pi_classParam('noresults') . '>' . $this->pi_getLL('noResults', '', TRUE) . '</p>'; } // Print a message telling which words we searched for, and in which sections etc. - $what = $this->tellUsWhatIsSeachedFor($sWArr) . (substr($this->piVars['sections'], 0, 2) == 'rl' ? ' ' . $this->pi_getLL('inSection', '', TRUE) . ' "' . substr($this->getPathFromPageId(substr($this->piVars['sections'], 4)), 1) . '"' : ''); + $what = $this->tellUsWhatIsSeachedFor($sWArr) . (substr($this->piVars['sections'], 0, 2) == 'rl' ? ' ' . $this->pi_getLL('inSection', '', TRUE) . ' "' . substr(htmlspecialchars($this->getPathFromPageId(substr($this->piVars['sections'], 4))), 1) . '"' : ''); $what = '<div' . $this->pi_classParam('whatis') . '>' . $this->cObj->stdWrap($what, $this->conf['whatis_stdWrap.']) . '</div>'; $content = $what . $content; // Return content:
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-015/nvdVendor Advisory
- github.com/advisories/GHSA-xx7m-8rq2-cw2vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-8756ghsaADVISORY
- github.com/TYPO3/typo3/commit/7e4bdf48988191043a65880c72190c4130c1f0e0ghsaWEB
- typo3.org/security/advisory/typo3-core-sa-2015-015ghsaWEB
- web.archive.org/web/20160624215319/http://www.securitytracker.com/id/1034486ghsaWEB
- www.securitytracker.com/id/1034486nvd
News mentions
0No linked articles in our index yet.