Medium severity5.4NVD Advisory· Published Jan 8, 2016· Updated May 6, 2026

CVE-2015-8759

Description

Cross-site scripting (XSS) vulnerability in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote authenticated editors to inject arbitrary web script or HTML via a link field.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cmsPackagist	>= 6.2.0, < 6.2.16	6.2.16
typo3/cmsPackagist	>= 7.0.0, < 7.6.1	7.6.1

Affected products

TYPO3/Typo339 versions
cpe:2.3:a:typo3:typo3:6.2:*:*:*:*:*:*:*+ 38 more
- cpe:2.3:a:typo3:typo3:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.1:*:*:*:*:*:*:*

Patches

de1755a6dcff

[SECURITY] Link fields accept inline javascript code

https://github.com/TYPO3/typo3Oliver HaderDec 15, 2015via ghsa

commit

1 file changed · +3 −0

typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php+3 −0 modified

@@ -6311,6 +6311,9 @@ protected function resolveMixedLinkParameter($linkText, $mixedLinkParameter, &$c
                 // Resource was not found
                 return $linkText;
             }
+        // Disallow direct javascript: links
+        } elseif (strtolower(trim($linkHandlerKeyword)) === 'javascript') {
+            return $linkText;
         } else {
             $linkParameter = $linkParameterParts['url'];
         }

25a1473907f0

[SECURITY] Link fields accept inline javascript code

https://github.com/TYPO3/typo3Oliver HaderDec 15, 2015via ghsa

commit

1 file changed · +3 −0

typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php+3 −0 modified

@@ -5821,6 +5821,9 @@ public function typoLink($linktxt, $conf) {
 					// Resource was not found
 					return $linktxt;
 				}
+			// Disallow direct javascript: links
+			} elseif (strtolower(trim($linkHandlerKeyword)) === 'javascript') {
+				return $linktxt;
 			}
 			// Link parameter value
 			$link_param = trim($link_paramA[0]);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000