CVE-2009-3628 TYPO3 Information disclosure
TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
4.3.0beta1 and below contain an information disclosure flaw where if
malcious content was entered into a tt_content form element, a backend
user could recalculate the encryption key
References:
http://marc.info/?l=oss-security&m=125626536616052&w=2
https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
CVE-2009-3629 TYPO3 Cross-site scripting
TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
4.3.0beta1 and below contain a cross-site scripting flaw where the TYPO3
backend failed to properly sanitize user input.
http://marc.info/?l=oss-security&m=125626536616052&w=2
https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
CVE-2009-3630 TYPO3 Frame hijacking
TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
4.3.0beta1 and below contain a flaw where by manipulating URL parameters
it is possible to include arbitrary websites in the TYPO3 backend
framesets.
http://marc.info/?l=oss-security&m=125626536616052&w=2
https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
CVE-2009-3631 TYPO3 Remote shell command execution
TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
4.3.0beta1 and below when using certain third party file upload extension
could allow a file with a crafted name to execute arbitrary commands on
the TYPO3 server.
http://marc.info/?l=oss-security&m=125626536616052&w=2
https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
CVE-2009-3632 TYPO3 SQL injection
TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
4.3.0beta1 and below contain an SQL injection flaw where a logged in user
could execute arbitrary SQL by sending the server a specially crafted URL.
http://marc.info/?l=oss-security&m=125626536616052&w=2
https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
CVE-2009-3633 TYPO3 API function t3lib_div::quoteJSvalue XSS
TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
4.3.0beta1 and below contain an unauthenticated cross-site scripting flaw
in its API function t3lib_div::quoteJSvalue.
http://marc.info/?l=oss-security&m=125626536616052&w=2
https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
CVE-2009-3634 TYPO3 Frontend Login Box (felogin) XSS
TYPO3 versions 4.2.0 to 4.2.6 contian contain a cross-site scripting flaw
where the URL parameters of Frontend Login Box were not properly
sanitized.
http://marc.info/?l=oss-security&m=125626536616052&w=2
https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
CVE-2009-3635 TYPO3 Insecure Authentication and Session Handling
TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
4.3.0beta1 and below contain an insecure authentication and session
handling flaw. If an attacker knows the md5 hash of the Install Tool
password, they can gain access to the Install Tool.
http://marc.info/?l=oss-security&m=125626536616052&w=2
https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
CVE-2009-3636 TYPO3 Install Tool XSS
TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
4.3.0beta1 and below contain a cross-site scripting flaw in the Install
Tool. The Install Tool does not properly sanitize URL parameters leading
to this attack.
Note: The Install Tool is not meant to be activated in production
environments.
http://marc.info/?l=oss-security&m=125626536616052&w=2
https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
