{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14240?format=json","vulnerability_id":"VCID-tsmu-e547-8kdx","summary":"TYPO3 leaks a hash secret in an error message\nThe jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.","aliases":[{"alias":"CVE-2009-0815"},{"alias":"GHSA-c22j-84c7-cm77"}],"fixed_packages":[],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50324?format=json","purl":"pkg:composer/typo3/cms@3.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acey-xzmu-7yg9"},{"vulnerability":"VCID-tsmu-e547-8kdx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@3.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/50326?format=json","purl":"pkg:composer/typo3/cms@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69fr-ztbp-z7gg"},{"vulnerability":"VCID-acey-xzmu-7yg9"},{"vulnerability":"VCID-tsmu-e547-8kdx"},{"vulnerability":"VCID-u1y7-xzfg-z7ce"},{"vulnerability":"VCID-zkmd-h3ch-ebbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@4.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/50327?format=json","purl":"pkg:composer/typo3/cms@4.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5arh-exf5-zub1"},{"vulnerability":"VCID-69fr-ztbp-z7gg"},{"vulnerability":"VCID-acey-xzmu-7yg9"},{"vulnerability":"VCID-enht-zcrt-mbe6"},{"vulnerability":"VCID-jbu9-bp56-rkgw"},{"vulnerability":"VCID-k6fn-pcqn-byhu"},{"vulnerability":"VCID-tsmu-e547-8kdx"},{"vulnerability":"VCID-u1y7-xzfg-z7ce"},{"vulnerability":"VCID-zkmd-h3ch-ebbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@4.2.0"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0815","reference_id":"","reference_type":"","scores":[{"value":"0.498","scoring_system":"epss","scoring_elements":"0.97795","published_at":"2026-04-04T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.97805","published_at":"2026-04-09T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.97787","published_at":"2026-04-01T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.97803","published_at":"2026-04-08T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.97793","published_at":"2026-04-02T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.97799","published_at":"2026-04-07T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.97818","published_at":"2026-04-21T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.9782","published_at":"2026-04-18T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.97817","published_at":"2026-04-24T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.97811","published_at":"2026-04-13T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.9781","published_at":"2026-04-12T12:55:00Z"},{"value":"0.498","scoring_system":"epss","scoring_elements":"0.97808","published_at":"2026-04-11T12:55:00Z"},{"value":"0.52771","scoring_system":"epss","scoring_elements":"0.97964","published_at":"2026-05-05T12:55:00Z"},{"value":"0.52771","scoring_system":"epss","scoring_elements":"0.97958","published_at":"2026-04-29T12:55:00Z"},{"value":"0.52771","scoring_system":"epss","scoring_elements":"0.97954","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0815"},{"reference_url":"https://github.com/TYPO3/typo3","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/typo3"},{"reference_url":"https://web.archive.org/web/20091206080208/http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20091206080208/http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002"},{"reference_url":"https://web.archive.org/web/20200915000000*/http://www.securitytracker.com/id?1021710","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200915000000*/http://www.securitytracker.com/id?1021710"},{"reference_url":"http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/","reference_id":"","reference_type":"","scores":[],"url":"http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/"},{"reference_url":"http://www.debian.org/security/2009/dsa-1720","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2009/dsa-1720"},{"reference_url":"http://www.openwall.com/lists/oss-security/2009/02/10/6","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2009/02/10/6"},{"reference_url":"http://www.securitytracker.com/id?1021710","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id?1021710"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:3.3.x:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:3.3.x:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:3.3.x:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:3.5.x:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:3.5.x:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:3.5.x:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:3.6.x:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:3.6.x:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:3.6.x:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:3.7.x:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:3.7.x:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:3.7.x:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:3.8.x:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:3.8.x:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:3.8.x:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2009-0815","reference_id":"CVE-2009-0815","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-0815"},{"reference_url":"https://github.com/advisories/GHSA-c22j-84c7-cm77","reference_id":"GHSA-c22j-84c7-cm77","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c22j-84c7-cm77"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/8038.py","reference_id":"OSVDB-52048;CVE-2009-0815","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/8038.py"}],"weaknesses":[{"cwe_id":200,"name":"Exposure of Sensitive Information to an Unauthorized Actor","description":"The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information."},{"cwe_id":209,"name":"Generation of Error Message Containing Sensitive Information","description":"The product generates an error message that includes sensitive information about its environment, users, or associated data."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[{"date_added":null,"description":"This module exploits a file disclosure vulnerability in the jumpUrl mechanism of\n          Typo3. This flaw can be used to read any file that the web server user account has\n          access to.","required_action":null,"due_date":null,"notes":"Stability:\n  - crash-safe\nSideEffects:\n  - ioc-in-logs\nReliability: []\n","known_ransomware_campaign_use":false,"source_date_published":"2009-02-10","exploit_type":null,"platform":"","source_date_updated":null,"data_source":"Metasploit","source_url":"https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/admin/http/typo3_sa_2009_002.rb"},{"date_added":"2009-02-09","description":"TYPO3 < 4.0.12/4.1.10/4.2.6 - 'jumpUrl' Remote File Disclosure","required_action":null,"due_date":null,"notes":null,"known_ransomware_campaign_use":true,"source_date_published":"2009-02-10","exploit_type":"webapps","platform":"php","source_date_updated":null,"data_source":"Exploit-DB","source_url":""}],"severity_range_score":"4.0 - 6.9","exploitability":"2.0","weighted_severity":"6.2","risk_score":10.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tsmu-e547-8kdx"}