GHSA-75mx-chcf-2q32: 
PHP vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in TYPO3 CMS, identified as GHSA-75mx-chcf-2q32, affecting versions 6.2.0 to 6.2.15 and 7.0.0 to 7.6.0. The vulnerability was disclosed on December 15, 2015, impacting link fields within the TYPO3 installation (TYPO3 Advisory).

The vulnerability exists in the typolink functionality where authorized editors could insert javascript commands by using the URL scheme 'javascript:'. The issue was present in the ContentObjectRenderer class where javascript: URL schemes were not properly restricted. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (Moderate severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (GitHub Advisory).

The vulnerability allows authorized editors to perform Cross-Site Scripting attacks through link fields within the TYPO3 installation. This could lead to potential compromise of data confidentiality and integrity, though the impact is considered low as it requires user interaction (TYPO3 Advisory).

The vulnerability was patched in TYPO3 versions 6.2.16 and 7.6.1. The fix involves disabling the insecure URL scheme 'javascript:' by default in the typoLink() function. For installations that require the javascript: prefix functionality, it can be re-enabled by installing the extension 'javascript_handler' (TYPO3 Advisory).