Search for packages
Package details: pkg:composer/typo3/cms@4.0.0
purl pkg:composer/typo3/cms@4.0.0
Tags Ghost
Next non-vulnerable version 10.4.35
Latest non-vulnerable version 12.2.0
Risk 4.0
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-2vwe-5wpk-ebdj
Aliases:
CVE-2009-0256
GHSA-q45q-5233-229p
Authentication library in TYPO3 vulnerable to session fixation Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.
4.0.10
Affected by 0 other vulnerabilities.
4.1.8
Affected by 0 other vulnerabilities.
4.2.4
Affected by 0 other vulnerabilities.
VCID-3vtw-fru3-gqf7
Aliases:
CVE-2009-0258
GHSA-74w6-ww7w-45j9
Indexed Search Engine for TYPO3 Command Execution via Metacharacter Injection The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.
4.0.10
Affected by 0 other vulnerabilities.
4.1.8
Affected by 0 other vulnerabilities.
4.2.4
Affected by 0 other vulnerabilities.
VCID-cwsm-v895-nqc7
Aliases:
CVE-2015-5956
GHSA-989h-wv8x-933p
TYPO3 cross-site scripting (XSS) The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.
6.2.15
Affected by 79 other vulnerabilities.
7.4.0
Affected by 44 other vulnerabilities.
VCID-ye9t-zkkn-9bc2
Aliases:
CVE-2009-0816
GHSA-jg55-3q6h-2ccf
Typo3 Backend XSS Vulnerability An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing them to bypass access control by providing the correct value. There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to.
4.0.12
Affected by 0 other vulnerabilities.
4.1.10
Affected by 0 other vulnerabilities.
4.2.6
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-05T18:41:52.124554+00:00 GHSA Importer Affected by VCID-cwsm-v895-nqc7 https://github.com/advisories/GHSA-989h-wv8x-933p 37.0.0
2025-07-01T18:13:06.978013+00:00 GitLab Importer Affected by VCID-3vtw-fru3-gqf7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0258.yml 36.1.3
2025-07-01T18:13:06.867997+00:00 GitLab Importer Affected by VCID-2vwe-5wpk-ebdj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0256.yml 36.1.3
2025-07-01T18:13:04.833493+00:00 GitLab Importer Affected by VCID-ye9t-zkkn-9bc2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0816.yml 36.1.3
2025-07-01T14:31:50.046068+00:00 GHSA Importer Affected by VCID-ye9t-zkkn-9bc2 https://github.com/advisories/GHSA-jg55-3q6h-2ccf 36.1.3
2025-07-01T14:31:49.362040+00:00 GHSA Importer Affected by VCID-3vtw-fru3-gqf7 https://github.com/advisories/GHSA-74w6-ww7w-45j9 36.1.3
2025-07-01T14:31:49.267229+00:00 GHSA Importer Affected by VCID-2vwe-5wpk-ebdj https://github.com/advisories/GHSA-q45q-5233-229p 36.1.3