cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*

CVE-2009-0255

Public exploit
The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key.
Max CVSS
7.5
EPSS Score
2.17%
Published
2009-01-22
Updated
2024-02-14
Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.
Max CVSS
7.5
EPSS Score
1.49%
Published
2009-01-22
Updated
2017-08-08
Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) content of indexed files to the (a) Indexed Search Engine (indexed_search) system extension; (b) unspecified test scripts in the ADOdb system extension; and (c) unspecified vectors in the Workspace module.
Max CVSS
4.3
EPSS Score
0.32%
Published
2009-01-22
Updated
2017-08-08
The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.
Max CVSS
10.0
EPSS Score
1.14%
Published
2009-01-22
Updated
2017-08-08
Multiple cross-site scripting (XSS) vulnerabilities in the backend user interface in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields.
Max CVSS
4.3
EPSS Score
0.22%
Published
2009-03-05
Updated
2010-04-27
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to determine an encryption key via crafted input to a tt_content form element.
Max CVSS
4.0
EPSS Score
0.17%
Published
2009-11-02
Updated
2017-08-17
Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
3.5
EPSS Score
0.11%
Published
2009-11-02
Updated
2017-08-17
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, related to a "frame hijacking" issue.
Max CVSS
5.5
EPSS Score
0.15%
Published
2009-11-02
Updated
2017-08-17
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.
Max CVSS
8.5
EPSS Score
0.36%
Published
2009-11-02
Updated
2017-08-17
SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to execute arbitrary SQL commands via unspecified parameters.
Max CVSS
6.5
EPSS Score
0.18%
Published
2009-11-02
Updated
2017-08-17
Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm.
Max CVSS
4.3
EPSS Score
0.12%
Published
2009-11-02
Updated
2017-08-17
The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.
Max CVSS
6.8
EPSS Score
1.65%
Published
2009-11-02
Updated
2017-08-17
Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
Max CVSS
4.3
EPSS Score
0.27%
Published
2009-11-02
Updated
2017-08-17
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.
Max CVSS
5.4
EPSS Score
0.06%
Published
2019-11-01
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.
Max CVSS
6.1
EPSS Score
0.10%
Published
2019-11-01
Updated
2019-11-04
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
Max CVSS
8.8
EPSS Score
0.16%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.
Max CVSS
8.8
EPSS Score
0.77%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.
Max CVSS
6.5
EPSS Score
0.10%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the Extension Manager.
Max CVSS
5.4
EPSS Score
0.06%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function.
Max CVSS
5.3
EPSS Score
0.11%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Spam Abuse in the native form content element.
Max CVSS
5.3
EPSS Score
0.11%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Header Injection in the secure download feature jumpurl.
Max CVSS
7.5
EPSS Score
0.09%
Published
2019-11-04
Updated
2019-11-05
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.
Max CVSS
5.8
EPSS Score
0.11%
Published
2019-11-05
Updated
2019-11-08
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.
Max CVSS
9.4
EPSS Score
0.21%
Published
2019-11-05
Updated
2019-11-08
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 allows XSS in the textarea view helper in an extbase extension.
Max CVSS
6.1
EPSS Score
0.09%
Published
2019-11-05
Updated
2019-11-07
34 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!