CVE-2014-9509

NameCVE-2014-9509
DescriptionThe frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set to all or cached, allows remote attackers to have an unspecified impact (possibly resource consumption) via a "Cache Poisoning" attack using a URL with arbitrary arguments, which triggers a reload of the page.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
typo3-srcsource(unstable)(unfixed)high
typo3-srcsourcesqueeze(unfixed)end-of-life
typo3-srcsourcewheezy(unfixed)end-of-life

Notes

[wheezy] - typo3-src <end-of-life> (See DSA 3314)
[squeeze] - typo3-src <end-of-life> (Unsupported in squeeze-lts)
Solution is to remove he configuration options config.prefixLocalAnchors
(and optionally also config.baseUrl) in favor of config.absRefPrefix

Search for package or bug name: Reporting problems