CVE-2009-0256
https://notcve.org/view.php?id=CVE-2009-0256
Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication. Vulnerabilidad de fijación de sesión en la librería de autenticación en TYPO3 v4.0.0 a v4.0.9, v4.1.0 a v4.1.7 y v4.2.0 a v4.2.3, permite a atacantes remotos secuestrar sesiones web mediante vectores no especificados, en relación con (1) el interfaz externo y (2) la autenticación del interfaz interno. • http://secunia.com/advisories/33617 http://secunia.com/advisories/33679 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001 http://www.debian.org/security/2009/dsa-1711 http://www.securityfocus.com/bid/33376 https://exchange.xforce.ibmcloud.com/vulnerabilities/48133 • CWE-287: Improper Authentication •
CVE-2008-2718
https://notcve.org/view.php?id=CVE-2008-2718
Cross-site scripting (XSS) vulnerability in fe_adminlib.inc in TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, as used in extensions such as (1) direct_mail_subscription, (2) feuser_admin, and (3) kb_md5fepw, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en fe_adminlib.inc de TYPO3 4.0.x antes de 4.0.9, 4.1.x antes de 4.1.7 y 4.2.x antes de 4.2.1, del modo que se utiliza en extensiones como (1) direct_mail_subscription, (2) feuser_admin y (3) kb_md5fepw, permite a atacantes remotos inyectar scripts web o HTMl de su elección mediante vectores no especificados. • http://secunia.com/advisories/30619 http://secunia.com/advisories/30660 http://securityreason.com/securityalert/3945 http://typo3.org/teams/security/security-bulletins/typo3-20080611-1 http://www.debian.org/security/2008/dsa-1596 http://www.securityfocus.com/archive/1/493270/100/0/threaded http://www.securityfocus.com/bid/29657 http://www.vupen.com/english/advisories/2008/1802 https://exchange.xforce.ibmcloud.com/vulnerabilities/42986 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-2717
https://notcve.org/view.php?id=CVE-2008-2717
TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions. TYPO3 versiones 4.0.x anteriores a 4.0.9, versiones 4.1.x anteriores a 4.1.7, y versiones 4.2.x anteriores a 4.2.1, utiliza un fileDenyPattern predeterminado insuficientemente restrictivo para Apache, que permite a los atacantes remotos omitir las restricciones de seguridad y cargar archivos de configuración como .htaccess, o conducir ataques de carga de archivos mediante varias extensiones. • http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern http://secunia.com/advisories/30619 http://secunia.com/advisories/30660 http://securityreason.com/securityalert/3945 http://typo3.org/teams/security/security-bulletins/typo3-20080611-1 http://www.debian.org/security/2008/dsa-1596 http://www.securityfocus.com/archive/1/493270/100/0/threaded http://www.securityfocus.com/bid/29657 http://www.vupen.com/english/advisories/2008/1802 https:/ • CWE-264: Permissions, Privileges, and Access Controls •