Typo3 Multiple Cross-Site Scripting Vulnerabilities Fixed by 6.2.16 and 7.6.1


Description   (#Multiple vulnerabilities has been identified in Typo3 :#- CVE-2015-8757: cross-site scripting located in the "Extension Manager" module#- CVE-2015-8758: multiple cross-site scripting located in the frontend#- CVE-2015-8759: cross-site scripting located in the "typolinks" module#- CVE-2015-8755: multiple cross-site scripting located in the backend#- CVE-2015-8756: cross-site scripting located in the "Indexed Search" module#- CVE-2015-8760: cross-site flashing.)
     
Vulnerable Products   Vulnerable OS:
FreeBSD (FreeBSD) - AllVulnerable Software:
Typo3 (Typo3) - 6.2.0, 6.2.1, 6.2.10, 6.2.11, 6.2.12, ..., 7.2.0, 7.3.0, 7.3.1, 7.4.0, 7.6.0
     
Solution   Fixed typo3 packages for FreeBSD are available.
     
CVE   CVE-2015-8760
CVE-2015-8759
CVE-2015-8758
CVE-2015-8757
CVE-2015-8756
CVE-2015-8755
     
References   - TYPO3-CORE-SA-2015-010: Cross-Site Scripting in TYPO3 component Extension Manager
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-010/
- TYPO3-CORE-SA-2015-013: Multiple Cross-Site Scripting vulnerabilities in frontend
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/
- TYPO3-CORE-SA-2015-012: Cross-Site Scripting vulnerability in typolinks
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/
- TYPO3-CORE-SA-2015-011: Multiple Cross-Site Scripting vulnerabilities in TYPO3 backend
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-011/
- TYPO3-CORE-SA-2015-015: Cross-Site Scripting in TYPO3 component Indexed Search
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-015/
- TYPO3-CORE-SA-2015-014: TYPO3 is susceptible to Cross-Site Flashing
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-014/
- VuXML : typo3 -- multiple vulnerabilities
http://www.vuxml.org/freebsd/a0d77bc8-c6a7-11e5-96d6-14dae9d210b8.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
3.2.0
XSS - Prevention - GET : javascript code in flash clickTAG parameter
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL
3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - GET : 'script' tag in flash clickTAG parameter
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
5.0.0
XSS - Prevention - POST : javascript code found in data
5.0.0
XSS - Prevention - POST : suspicious tag with event found in data
5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
5.0.0
XSS - Prevention - POST : 'location' javascript object found in data
5.0.0
XSS - Prevention - POST : code allowing cookie access found in data
5.0.0
XSS - Prevention - POST : 'script' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-12-15 

 Target Type 
Client 

 Possible exploit 
Remote