CVE-2014-9509

NameCVE-2014-9509
DescriptionThe frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set to all or cached, allows remote attackers to have an unspecified impact (possibly resource consumption) via a "Cache Poisoning" attack using a URL with arbitrary arguments, which triggers a reload of the page.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
typo3-srcsourcesqueeze(unfixed)end-of-life
typo3-srcsourcewheezy(unfixed)end-of-life
typo3-srcsource(unstable)(unfixed)

Notes

[wheezy] - typo3-src <end-of-life> (See DSA 3314)
[squeeze] - typo3-src <end-of-life> (Unsupported in squeeze-lts)
Solution is to remove he configuration options config.prefixLocalAnchors
(and optionally also config.baseUrl) in favor of config.absRefPrefix
Search for package or bug name: Reporting problems