CVE-2012-1608

The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable characters.

Published Bysecalert@redhat.com

Published DateSep 04, 2012, 20:55

Affected Versions(3)

typo3/cms(Packagist)

Introduced4.4.0

Fixed4.4.14

LimitN/A

typo3/cms(Packagist)

Introduced4.5.0

Fixed4.5.14

LimitN/A

typo3/cms(Packagist)

Introduced4.6.0

Fixed4.6.7

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
typo3/cms(Packagist)	4.4.0	4.4.14	N/A
typo3/cms(Packagist)	4.5.0	4.5.14	N/A
typo3/cms(Packagist)	4.6.0	4.6.7	N/A

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE

References

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE