GHSA-p84g-j2gh-83g3: 
PHP vulnerability analysis and mitigation

A cache poisoning vulnerability was discovered in TYPO3 CMS affecting versions 6.2.0 to 6.2.8 and 7.0.0 to 7.0.1. The vulnerability was disclosed on December 10, 2014, and tracked as GHSA-p84g-j2gh-83g3. The issue affects the homepage of TYPO3 installations when using specific configuration options related to anchor handling (TYPO3 Advisory, GitHub Advisory).

The vulnerability occurs when the configuration option config.prefixLocalAnchors is set to either 'all' or 'cached'. This setting allows request URLs with arbitrary arguments pointing to the homepage to be cached. The issue specifically affects installations where the homepage is not configured as a shortcut to a different page (TYPO3 Advisory).

The primary impact of this vulnerability is that unfamiliar-looking links to the home page can be cached, causing the page to reload in the browser when section links are followed by web page visitors, instead of directly jumping to the requested section of the page. This behavior affects the user experience and can potentially be exploited for link spoofing (GitHub Advisory).

The vulnerability was patched in TYPO3 versions 6.2.9 and 7.0.2. As a workaround, administrators can either set config.absRefPrefix to a value fitting their installation or remove the configuration options config.prefixLocalAnchors and config.baseUrl in favor of config.absRefPrefix (TYPO3 Advisory).