VulnerableCode Package Details - pkg:composer/typo3/cms@4.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-5arh-exf5-zub1 Aliases: CVE-2010-5103 GHSA-r2w2-2r2x-fpcx	TYPO3 SQL Injection vulnerability SQL injection vulnerability in the list module in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via unspecified vectors.	4.2.16 Affected by 0 other vulnerabilities. 4.3.9 Affected by 0 other vulnerabilities. 4.4.5 Affected by 0 other vulnerabilities.
VCID-69fr-ztbp-z7gg Aliases: CVE-2009-0258 GHSA-74w6-ww7w-45j9	Improper Input Validation The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.	4.2.4 Affected by 0 other vulnerabilities.
VCID-acey-xzmu-7yg9 Aliases: CVE-2009-0816 GHSA-jg55-3q6h-2ccf	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the backend user interface in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields.	4.2.6 Affected by 0 other vulnerabilities.
VCID-enht-zcrt-mbe6 Aliases: CVE-2010-5099 GHSA-66j3-66cp-6c2m	TYPO3 Path Traversal vulnerability The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php.	4.2.16 Affected by 0 other vulnerabilities. 4.3.9 Affected by 0 other vulnerabilities. 4.4.5 Affected by 0 other vulnerabilities.
VCID-jbu9-bp56-rkgw Aliases: CVE-2010-3714 GHSA-w736-qv86-vq94	TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism The jumpUrl (aka access tracking) implementation in `tslib/class.tslib_fe.php` in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors.	4.2.15 Affected by 0 other vulnerabilities. 4.3.7 Affected by 0 other vulnerabilities. 4.4.4 Affected by 0 other vulnerabilities.
VCID-k6fn-pcqn-byhu Aliases: CVE-2010-5101 GHSA-rmqc-wfjm-3f66	TYPO3 Directory Traversal vulnerability Directory traversal vulnerability in the TypoScript setup in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated administrators to read arbitrary files via unspecified vectors related to the "file inclusion functionality."	4.2.16 Affected by 0 other vulnerabilities. 4.3.9 Affected by 0 other vulnerabilities. 4.4.5 Affected by 0 other vulnerabilities.
VCID-tsmu-e547-8kdx Aliases: CVE-2009-0815 GHSA-c22j-84c7-cm77	TYPO3 leaks a hash secret in an error message The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.	4.2.6 Affected by 0 other vulnerabilities.
VCID-u1y7-xzfg-z7ce Aliases: CVE-2009-3635 GHSA-hwrc-w5gg-f335	TYPO3 Install Tool Subcomponent Allows Access Using Only a Password's MD5 Hash as a Credential The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.	4.2.10 Affected by 0 other vulnerabilities. 4.3.0-beta2 Affected by 0 other vulnerabilities.
VCID-zkmd-h3ch-ebbg Aliases: CVE-2009-0256 GHSA-q45q-5233-229p	Improper Authentication Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.	4.2.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-5arh-exf5-zub1
Aliases:
CVE-2010-5103
GHSA-r2w2-2r2x-fpcx

TYPO3 SQL Injection vulnerability SQL injection vulnerability in the list module in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via unspecified vectors.

4.2.16
Affected by 0 other vulnerabilities.

4.3.9
Affected by 0 other vulnerabilities.

4.4.5
Affected by 0 other vulnerabilities.

VCID-69fr-ztbp-z7gg
Aliases:
CVE-2009-0258
GHSA-74w6-ww7w-45j9

Improper Input Validation The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.

4.2.4
Affected by 0 other vulnerabilities.

VCID-acey-xzmu-7yg9
Aliases:
CVE-2009-0816
GHSA-jg55-3q6h-2ccf

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the backend user interface in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields.

4.2.6
Affected by 0 other vulnerabilities.

VCID-enht-zcrt-mbe6
Aliases:
CVE-2010-5099
GHSA-66j3-66cp-6c2m

TYPO3 Path Traversal vulnerability The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php.

4.2.16
Affected by 0 other vulnerabilities.

4.3.9
Affected by 0 other vulnerabilities.

4.4.5
Affected by 0 other vulnerabilities.

VCID-jbu9-bp56-rkgw
Aliases:
CVE-2010-3714
GHSA-w736-qv86-vq94

TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism The jumpUrl (aka access tracking) implementation in `tslib/class.tslib_fe.php` in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors.

4.2.15
Affected by 0 other vulnerabilities.

4.3.7
Affected by 0 other vulnerabilities.

4.4.4
Affected by 0 other vulnerabilities.

VCID-k6fn-pcqn-byhu
Aliases:
CVE-2010-5101
GHSA-rmqc-wfjm-3f66

TYPO3 Directory Traversal vulnerability Directory traversal vulnerability in the TypoScript setup in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated administrators to read arbitrary files via unspecified vectors related to the "file inclusion functionality."

4.2.16
Affected by 0 other vulnerabilities.

4.3.9
Affected by 0 other vulnerabilities.

4.4.5
Affected by 0 other vulnerabilities.

VCID-tsmu-e547-8kdx
Aliases:
CVE-2009-0815
GHSA-c22j-84c7-cm77

TYPO3 leaks a hash secret in an error message The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.

4.2.6
Affected by 0 other vulnerabilities.

VCID-u1y7-xzfg-z7ce
Aliases:
CVE-2009-3635
GHSA-hwrc-w5gg-f335

TYPO3 Install Tool Subcomponent Allows Access Using Only a Password's MD5 Hash as a Credential The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.

4.2.10
Affected by 0 other vulnerabilities.

4.3.0-beta2
Affected by 0 other vulnerabilities.

VCID-zkmd-h3ch-ebbg
Aliases:
CVE-2009-0256
GHSA-q45q-5233-229p

Improper Authentication Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.

4.2.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-04T14:31:51.003928+00:00	GHSA Importer	Affected by	VCID-jbu9-bp56-rkgw	https://github.com/advisories/GHSA-w736-qv86-vq94	38.1.0
2026-04-04T14:31:15.967625+00:00	GHSA Importer	Affected by	VCID-k6fn-pcqn-byhu	https://github.com/advisories/GHSA-rmqc-wfjm-3f66	38.1.0
2026-04-04T14:31:15.854328+00:00	GHSA Importer	Affected by	VCID-enht-zcrt-mbe6	https://github.com/advisories/GHSA-66j3-66cp-6c2m	38.1.0
2026-04-04T14:31:15.424946+00:00	GHSA Importer	Affected by	VCID-5arh-exf5-zub1	https://github.com/advisories/GHSA-r2w2-2r2x-fpcx	38.1.0
2026-04-03T21:25:56.422541+00:00	GitLab Importer	Affected by	VCID-jbu9-bp56-rkgw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2010-3714.yml	38.1.0
2026-04-03T21:25:53.164533+00:00	GitLab Importer	Affected by	VCID-5arh-exf5-zub1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2010-5103.yml	38.1.0
2026-04-03T21:25:48.530480+00:00	GitLab Importer	Affected by	VCID-k6fn-pcqn-byhu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2010-5101.yml	38.1.0
2026-04-01T16:00:39.928040+00:00	GHSA Importer	Affected by	VCID-u1y7-xzfg-z7ce	https://github.com/advisories/GHSA-hwrc-w5gg-f335	38.0.0
2026-04-01T16:00:37.507917+00:00	GHSA Importer	Affected by	VCID-acey-xzmu-7yg9	https://github.com/advisories/GHSA-jg55-3q6h-2ccf	38.0.0
2026-04-01T16:00:37.367126+00:00	GHSA Importer	Affected by	VCID-tsmu-e547-8kdx	https://github.com/advisories/GHSA-c22j-84c7-cm77	38.0.0
2026-04-01T16:00:36.425848+00:00	GHSA Importer	Affected by	VCID-69fr-ztbp-z7gg	https://github.com/advisories/GHSA-74w6-ww7w-45j9	38.0.0
2026-04-01T16:00:36.294127+00:00	GHSA Importer	Affected by	VCID-zkmd-h3ch-ebbg	https://github.com/advisories/GHSA-q45q-5233-229p	38.0.0
2026-04-01T12:50:44.135854+00:00	GitLab Importer	Affected by	VCID-enht-zcrt-mbe6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2010-5099.yml	38.0.0
2026-04-01T12:50:01.633358+00:00	GitLab Importer	Affected by	VCID-69fr-ztbp-z7gg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0258.yml	38.0.0
2026-04-01T12:50:01.523328+00:00	GitLab Importer	Affected by	VCID-zkmd-h3ch-ebbg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0256.yml	38.0.0
2026-04-01T12:50:00.817241+00:00	GitLab Importer	Affected by	VCID-u1y7-xzfg-z7ce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-3635.yml	38.0.0
2026-04-01T12:50:00.697781+00:00	GitLab Importer	Affected by	VCID-tsmu-e547-8kdx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0815.yml	38.0.0
2026-04-01T12:49:59.473789+00:00	GitLab Importer	Affected by	VCID-acey-xzmu-7yg9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0816.yml	38.0.0