It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting
December 15, 2015
Vulnerable subcomponent: Extension Manager
Versions 6.2.0 to 6.2.15, 7.0.0 to 7.6.0
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C
not assigned yet
Failing to properly HTML encode extension data during an extension installation, TYPO3 is vulnerable to Cross-Site Scripting.
Update to TYPO3 versions 6.2.16 or 7.6.1 that fix the problem described.
Thanks to the security team member Helmut Hummel who discovered and reported the issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce
All security related code changes are tagged so that you can easily look them up on our review system