CVE-2012-1606 — Typo3 Backend XSS Vulnerabilities

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.

How to fix CVE-2012-1606

To remediate CVE-2012-1606, upgrade the affected package to a fixed version below.

Debian/typo3-src—upgrade to 4.3.9+dfsg1-1+squeeze3 or later
Packagist/typo3/cms—upgrade to 4.4.14 or later

Is CVE-2012-1606 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.3.9+dfsg1-1+squeeze3
>= 4.4.0, < 4.4.14

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-1606
WEBweb.archive.org/web/20120527123559/http://www.securityfocus.com/bid/52771
WEBtypo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001
WEBwww.debian.org/security/2012/dsa-2445