{"id":"CVE-2016-4056","details":"Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers to inject arbitrary web script or HTML via the module parameter when creating a bookmark.","aliases":["GHSA-ffcm-vhcw-p32r"],"modified":"2026-04-10T03:51:16.877260Z","published":"2017-01-23T21:59:01.377Z","references":[{"type":"FIX","url":"https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-006/"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2016/04/21/1"},{"type":"EVIDENCE","url":"https://labs.integrity.pt/advisories/cve-pending-stored-cross-site-scripting-in-typo3-bookmarks/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"0"},{"last_affected":"185929060408a3f7668b3cc6b3ea09d9c4df0e08"},{"introduced":"0"},{"last_affected":"e897b5b2e4394c48ff8bedf8e8a60c45abb47e29"},{"introduced":"0"},{"last_affected":"d4da98fdae2cfb63cb373687bdf88be4f3bcce00"},{"introduced":"0"},{"last_affected":"9ee3ac976d5fb47a39701cc662f9a812ac202f66"},{"introduced":"0"},{"last_affected":"7177ff6c953547dfab6f5eb9ded130e3a39e1c17"},{"introduced":"0"},{"last_affected":"b547f6003cab25130b73373a3e17af44b3dea6b6"},{"introduced":"0"},{"last_affected":"444ee47cc987e54272495dce11b18b8f52a21b9f"},{"introduced":"0"},{"last_affected":"9e9ca9ae1e397f5fa8f4dbbd6caa563a27db1f98"},{"introduced":"0"},{"last_affected":"963ea9ad3afc75969ae3c91c917c48d8d8792907"},{"introduced":"0"},{"last_affected":"1fcdfb4da66f89daf7b406234ce4038c3a024688"},{"introduced":"0"},{"last_affected":"03c63f28e15a42dafe4c128e0c5caa40b96e92c8"},{"introduced":"0"},{"last_affected":"8dff38a233f2ddb8aadde84e327a2d5ef216be51"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.2.0-alpha1"},{"introduced":"0"},{"last_affected":"6.2.0-alpha2"},{"introduced":"0"},{"last_affected":"6.2.0-alpha3"},{"introduced":"0"},{"last_affected":"6.2.0-beta1"},{"introduced":"0"},{"last_affected":"6.2.0-beta2"},{"introduced":"0"},{"last_affected":"6.2.0-beta3"},{"introduced":"0"},{"last_affected":"6.2.0-beta4"},{"introduced":"0"},{"last_affected":"6.2.0-beta5"},{"introduced":"0"},{"last_affected":"6.2.0-beta6"},{"introduced":"0"},{"last_affected":"6.2.0-beta7"},{"introduced":"0"},{"last_affected":"6.2.0-rc1"},{"introduced":"0"},{"last_affected":"6.2.0-rc2"}]}},{"type":"GIT","repo":"https://github.com/typo3/typo3.cms","events":[{"introduced":"0"},{"last_affected":"4924c9e5e3188648b2b4f1dd8669b74b7ad61405"},{"introduced":"0"},{"last_affected":"4707e4237e657b5bf9b24d667abc955459bf01f4"},{"introduced":"0"},{"last_affected":"ad213706b90180e3fe3b16fbfc8e54cb49c3fd1f"},{"introduced":"0"},{"last_affected":"30b091ae307f55581e7e1418891d0e81cf85ccee"},{"introduced":"0"},{"last_affected":"ebcf783994e4e6e17bc3058f87be5bd6c9b99d7c"},{"introduced":"0"},{"last_affected":"3eefe725197182b99f47db410aa5ccb313377ce0"},{"introduced":"0"},{"last_affected":"a34edf6b58cd8d799a67fb20c1a67bff6aa374e9"},{"introduced":"0"},{"last_affected":"e5cee90e38b1bd1a33b5c9d7bfab5f77108a6cf1"},{"introduced":"0"},{"last_affected":"9bd95e7fc6ed38c5c1c57de69d9e3ea937bd3c92"},{"introduced":"0"},{"last_affected":"177cd38666bb4e7a026c60cdeda252596bf2c587"},{"introduced":"0"},{"last_affected":"b3201dd1e9ffd33dbd55912626d6de248e8d5696"},{"introduced":"0"},{"last_affected":"634451645ba110b7eadcef0bc964e3ddadbe7a2c"},{"introduced":"0"},{"last_affected":"1e44a4d1533aa4d70e6fa90ec96ef3f098844d59"},{"introduced":"0"},{"last_affected":"1fece4341b5bb18137f2fd60c34e30638b8eeef3"},{"introduced":"0"},{"last_affected":"f695f377f48c23bec3156c6d0f58f8a078d8a651"},{"introduced":"0"},{"last_affected":"2e7ea604c4ee75bb50d7df9b63d6d1add8b2e1a6"},{"introduced":"0"},{"last_affected":"8f9fa5948c4bd1f1cf2fd59114ffed42bd66f619"},{"introduced":"0"},{"last_affected":"645227dd0c24b3e2e029e68066fa1c5beb036b96"},{"introduced":"0"},{"last_affected":"449cf97a914c2dd719b728dc77d7b547ba557f33"},{"introduced":"0"},{"last_affected":"1d8a0aad7b8e539dd3fba7f494e573df0befc6ea"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.2"},{"introduced":"0"},{"last_affected":"6.2.1"},{"introduced":"0"},{"last_affected":"6.2.2"},{"introduced":"0"},{"last_affected":"6.2.3"},{"introduced":"0"},{"last_affected":"6.2.4"},{"introduced":"0"},{"last_affected":"6.2.5"},{"introduced":"0"},{"last_affected":"6.2.6"},{"introduced":"0"},{"last_affected":"6.2.7"},{"introduced":"0"},{"last_affected":"6.2.8"},{"introduced":"0"},{"last_affected":"6.2.9"},{"introduced":"0"},{"last_affected":"6.2.10"},{"introduced":"0"},{"last_affected":"6.2.10-rc1"},{"introduced":"0"},{"last_affected":"6.2.11"},{"introduced":"0"},{"last_affected":"6.2.12"},{"introduced":"0"},{"last_affected":"6.2.13"},{"introduced":"0"},{"last_affected":"6.2.14"},{"introduced":"0"},{"last_affected":"6.2.15"},{"introduced":"0"},{"last_affected":"6.2.16"},{"introduced":"0"},{"last_affected":"6.2.17"},{"introduced":"0"},{"last_affected":"6.2.18"}]}}],"versions":["6.2.0","6.2.1","6.2.10","6.2.10-rc1","6.2.11","6.2.12","6.2.13","6.2.14","6.2.15","6.2.16","6.2.17","6.2.18","6.2.2","6.2.3","6.2.4","6.2.5","6.2.6","6.2.7","6.2.8","6.2.9","TYPO3_6-1-0rc1","TYPO3_6-2-0","TYPO3_6-2-0alpha1","TYPO3_6-2-0alpha2","TYPO3_6-2-0alpha3","TYPO3_6-2-0beta1","TYPO3_6-2-0beta2","TYPO3_6-2-0beta3","TYPO3_6-2-0beta4","TYPO3_6-2-0beta5","TYPO3_6-2-0beta6","TYPO3_6-2-0beta7","TYPO3_6-2-0rc1","TYPO3_6-2-0rc2","TYPO3_6-2-1","TYPO3_6-2-10","TYPO3_6-2-10rc1","TYPO3_6-2-11","TYPO3_6-2-12","TYPO3_6-2-13","TYPO3_6-2-14","TYPO3_6-2-15","TYPO3_6-2-16","TYPO3_6-2-17","TYPO3_6-2-18","TYPO3_6-2-2","TYPO3_6-2-3","TYPO3_6-2-4","TYPO3_6-2-5","TYPO3_6-2-6","TYPO3_6-2-7","TYPO3_6-2-8","TYPO3_6-2-9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4056.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}