Vulnerability Details : CVE-2009-0255
Public exploit exists!
The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key.
Products affected by CVE-2009-0255
- cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-0255
1.85%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2009-0255
-
TYPO3 sa-2009-001 Weak Encryption Key File Disclosure
Disclosure Date: 2009-01-20First seen: 2020-04-26auxiliary/admin/http/typo3_sa_2009_001This module exploits a flaw in TYPO3 encryption ey creation process to allow for file disclosure in the jumpUrl mechanism. This flaw can be used to read any file that the web server user account has access to view. Authors: - Chris John Riley
CVSS scores for CVE-2009-0255
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | 2024-02-14 |
CWE ids for CVE-2009-0255
-
Assigned by: nvd@nist.gov (Primary)
-
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-0255
-
http://secunia.com/advisories/33679
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://secunia.com/advisories/33617
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/
Page Not FoundVendor Advisory
-
http://www.debian.org/security/2009/dsa-1711
[SECURITY] [DSA 1711-1] New TYPO3 packages fix remote code executionMailing List
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/48132
TYPO3 Install tool weak security CVE-2009-0255 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/33376
Broken Link;Third Party Advisory;VDB Entry
Jump to