CVE-2009-0255 – TYPO3 Sa-2009-001 Weak Encryption Key File Disclosure
https://notcve.org/view.php?id=CVE-2009-0255
The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key. La herramienta de instalación de extensiones del sistema en TYPO3 v4.0.9 a v4.0.0, v4.1.0 a v4.1.7, v4.2.0 y v4.2.3 crea la clave de encriptación con una insuficiente aleatoriedad en la semilla, lo que facilita craquear la clave a los atacantes. • http://secunia.com/advisories/33617 http://secunia.com/advisories/33679 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001 http://www.debian.org/security/2009/dsa-1711 http://www.securityfocus.com/bid/33376 https://exchange.xforce.ibmcloud.com/vulnerabilities/48132 http://blog.c22.cc/advisories/typo3-sa-2009-001 • CWE-330: Use of Insufficiently Random Values •
CVE-2008-5656
https://notcve.org/view.php?id=CVE-2008-5656
Cross-site scripting (XSS) vulnerability in the frontend plugin for the felogin system extension in TYPO3 4.2.0, 4.2.1 and 4.2.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Vulnerabilidad de Secuencias de Comandos en Sitios Cruzados (XSS) en la extensión de interfaz externo (frontend plugin) para la extensión de sistemas Felogin en TYPO3 4.2.0, 4.2.1 y 4.2.2, permite a atacantes remotos inyectar secuencias de comandos Web o HTML a través de vectores desconocidos. • http://typo3.org/teams/security/security-bulletins/typo3-20081113-2 http://www.securityfocus.com/bid/32284 https://exchange.xforce.ibmcloud.com/vulnerabilities/46591 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-2717
https://notcve.org/view.php?id=CVE-2008-2717
TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions. TYPO3 versiones 4.0.x anteriores a 4.0.9, versiones 4.1.x anteriores a 4.1.7, y versiones 4.2.x anteriores a 4.2.1, utiliza un fileDenyPattern predeterminado insuficientemente restrictivo para Apache, que permite a los atacantes remotos omitir las restricciones de seguridad y cargar archivos de configuración como .htaccess, o conducir ataques de carga de archivos mediante varias extensiones. • http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern http://secunia.com/advisories/30619 http://secunia.com/advisories/30660 http://securityreason.com/securityalert/3945 http://typo3.org/teams/security/security-bulletins/typo3-20080611-1 http://www.debian.org/security/2008/dsa-1596 http://www.securityfocus.com/archive/1/493270/100/0/threaded http://www.securityfocus.com/bid/29657 http://www.vupen.com/english/advisories/2008/1802 https:/ • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2008-2718
https://notcve.org/view.php?id=CVE-2008-2718
Cross-site scripting (XSS) vulnerability in fe_adminlib.inc in TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, as used in extensions such as (1) direct_mail_subscription, (2) feuser_admin, and (3) kb_md5fepw, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en fe_adminlib.inc de TYPO3 4.0.x antes de 4.0.9, 4.1.x antes de 4.1.7 y 4.2.x antes de 4.2.1, del modo que se utiliza en extensiones como (1) direct_mail_subscription, (2) feuser_admin y (3) kb_md5fepw, permite a atacantes remotos inyectar scripts web o HTMl de su elección mediante vectores no especificados. • http://secunia.com/advisories/30619 http://secunia.com/advisories/30660 http://securityreason.com/securityalert/3945 http://typo3.org/teams/security/security-bulletins/typo3-20080611-1 http://www.debian.org/security/2008/dsa-1596 http://www.securityfocus.com/archive/1/493270/100/0/threaded http://www.securityfocus.com/bid/29657 http://www.vupen.com/english/advisories/2008/1802 https://exchange.xforce.ibmcloud.com/vulnerabilities/42986 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •