CVE-2014-9508: TYPO3: Malicious Links Can Redirect Users to Arbitrary Domains

Summary

A security issue in TYPO3 versions 4.5.x, 4.6.x, 6.2.x, and 7.x allows attackers to redirect users to other websites by manipulating links on a website. This could lead to phishing or other malicious activities. Update your TYPO3 installation to the latest version to fix this issue.

What to do

Update typo3 cms to version 4.5.39.
Update typo3 cms to version 6.2.9.
Update typo3 cms to version 7.0.2.

Affected software

Ecosystem	Vendor	Product	Affected versions
composer	typo3	cms	>= 4.5.0, < 4.5.39 >= 4.6.0, < 6.2.9 >= 7.0.0, < 7.0.2 Fix: upgrade to 4.5.39
–	typo3	typo3	4.5.0 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.5.6 4.5.7 4.5.8 4.5.9 4.5.10 4.5.11 4.5.12 4.5.13 4.5.14 4.5.15 4.5.16 4.5.17 4.5.18 4.5.19 4.5.20 4.5.21 4.5.22 4.5.23 4.5.24 4.5.25 4.5.26 4.5.27 4.5.28 4.5.29 4.5.30 4.5.31 4.5.32 4.5.33 4.5.34 4.5.35 4.5.36 4.5.37 4.5.38 4.6.0 4.6.1 4.6.2 4.6.3 4.6.4 4.6.5 4.6.6 4.6.7 4.6.8 4.6.9 4.6.10 4.6.11 4.6.12 4.6.13 4.6.14 4.6.15 4.6.16 4.6.17 4.6.18 4.7.0 4.7.1 4.7.2 4.7.3 4.7.4 4.7.5 4.7.6 4.7.7 4.7.8 4.7.9 4.7.10 4.7.11 4.7.12 4.7.13 4.7.14 4.7.15 4.7.16 4.7.17 4.7.18 4.7.19 4.7.20 6.0 6.0.1 6.0.2 6.0.3 6.0.4 6.0.5 6.0.6 6.0.7 6.0.8 6.0.9 6.0.10 6.0.11 6.0.12 6.0.13 6.0.14 6.1 6.1.1 6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.2 6.2.0 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 7.0.0 7.0.1 `cpe:2.3:a:typo3:typo3:4.5.0:::::::*`

Original title

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that onl...

Original description

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors.

Vulnerability type

CWE-59 Link Following