
CVE-2009-0258
https://notcve.org/view.php?id=CVE-2009-0258
22 Jan 2009 — The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer. Vulnerabilidad no especificada en la extensión del sistema de la Indexed Search Engine (indexed_search) en TYPO3 v4.0.0 a v4.0.9, v4.1.0 a 4.1.7 y v4.2.0 a v4.2.3 permite a atacantes remotos ejecutar comandos... • http://secunia.com/advisories/33617 • CWE-20: Improper Input Validation •

CVE-2009-0255 – TYPO3 Sa-2009-001 Weak Encryption Key File Disclosure
https://notcve.org/view.php?id=CVE-2009-0255
22 Jan 2009 — The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key. La herramienta de instalación de extensiones del sistema en TYPO3 v4.0.9 a v4.0.0, v4.1.0 a v4.1.7, v4.2.0 y v4.2.3 crea la clave de encriptación con una insuficiente aleatoriedad en la semilla, lo que facilita craquear la clave a los atacantes. • https://packetstorm.news/files/id/180895 • CWE-330: Use of Insufficiently Random Values •

CVE-2008-5656
https://notcve.org/view.php?id=CVE-2008-5656
17 Dec 2008 — Cross-site scripting (XSS) vulnerability in the frontend plugin for the felogin system extension in TYPO3 4.2.0, 4.2.1 and 4.2.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Vulnerabilidad de Secuencias de Comandos en Sitios Cruzados (XSS) en la extensión de interfaz externo (frontend plugin) para la extensión de sistemas Felogin en TYPO3 4.2.0, 4.2.1 y 4.2.2, permite a atacantes remotos inyectar secuencias de comandos Web o HTML a través de vectores desconocidos. • http://typo3.org/teams/security/security-bulletins/typo3-20081113-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2008-2717
https://notcve.org/view.php?id=CVE-2008-2717
16 Jun 2008 — TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions. TYPO3 versiones 4.0.x anteriores a 4.0.9, versiones 4.1.x anteriores a 4.1.7, y versiones 4.2.x anteriores a 4.2.1, utiliza un fileDenyPattern predeterminado insuficientemente restrictivo para Apache, ... • http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern • CWE-264: Permissions, Privileges, and Access Controls •

CVE-2008-2718
https://notcve.org/view.php?id=CVE-2008-2718
16 Jun 2008 — Cross-site scripting (XSS) vulnerability in fe_adminlib.inc in TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, as used in extensions such as (1) direct_mail_subscription, (2) feuser_admin, and (3) kb_md5fepw, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en fe_adminlib.inc de TYPO3 4.0.x antes de 4.0.9, 4.1.x antes de 4.1.7 y 4.2.x antes de 4.2.1, del modo que se utiliza en exten... • http://secunia.com/advisories/30619 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •