VulnerableCode Package Details - pkg:composer/typo3/cms@4.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-2kvs-ma3p-kkht Aliases: CVE-2009-3635 GHSA-hwrc-w5gg-f335	TYPO3 Install Tool Subcomponent Allows Access Using Only a Password's MD5 Hash as a Credential The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.	4.1.13 Affected by 0 other vulnerabilities. 4.2.10 Affected by 0 other vulnerabilities. 4.3.0-beta2 Affected by 0 other vulnerabilities.
VCID-2vwe-5wpk-ebdj Aliases: CVE-2009-0256 GHSA-q45q-5233-229p	Authentication library in TYPO3 vulnerable to session fixation Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.	4.1.8 Affected by 0 other vulnerabilities. 4.2.4 Affected by 0 other vulnerabilities.
VCID-3vtw-fru3-gqf7 Aliases: CVE-2009-0258 GHSA-74w6-ww7w-45j9	Indexed Search Engine for TYPO3 Command Execution via Metacharacter Injection The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.	4.1.8 Affected by 0 other vulnerabilities. 4.2.4 Affected by 0 other vulnerabilities.
VCID-au4n-kuzg-h3es Aliases: CVE-2009-0815 GHSA-c22j-84c7-cm77	TYPO3 leaks a hash secret in an error message The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.	4.1.10 Affected by 0 other vulnerabilities. 4.2.6 Affected by 0 other vulnerabilities.
VCID-ye9t-zkkn-9bc2 Aliases: CVE-2009-0816 GHSA-jg55-3q6h-2ccf	Typo3 Backend XSS Vulnerability An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing them to bypass access control by providing the correct value. There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to.	4.1.10 Affected by 0 other vulnerabilities. 4.2.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2kvs-ma3p-kkht
Aliases:
CVE-2009-3635
GHSA-hwrc-w5gg-f335

TYPO3 Install Tool Subcomponent Allows Access Using Only a Password's MD5 Hash as a Credential The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.

4.1.13
Affected by 0 other vulnerabilities.

4.2.10
Affected by 0 other vulnerabilities.

4.3.0-beta2
Affected by 0 other vulnerabilities.

VCID-2vwe-5wpk-ebdj
Aliases:
CVE-2009-0256
GHSA-q45q-5233-229p

Authentication library in TYPO3 vulnerable to session fixation Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.

4.1.8
Affected by 0 other vulnerabilities.

4.2.4
Affected by 0 other vulnerabilities.

VCID-3vtw-fru3-gqf7
Aliases:
CVE-2009-0258
GHSA-74w6-ww7w-45j9

Indexed Search Engine for TYPO3 Command Execution via Metacharacter Injection The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.

4.1.8
Affected by 0 other vulnerabilities.

4.2.4
Affected by 0 other vulnerabilities.

VCID-au4n-kuzg-h3es
Aliases:
CVE-2009-0815
GHSA-c22j-84c7-cm77

TYPO3 leaks a hash secret in an error message The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.

4.1.10
Affected by 0 other vulnerabilities.

4.2.6
Affected by 0 other vulnerabilities.

VCID-ye9t-zkkn-9bc2
Aliases:
CVE-2009-0816
GHSA-jg55-3q6h-2ccf

Typo3 Backend XSS Vulnerability An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing them to bypass access control by providing the correct value. There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to.

4.1.10
Affected by 0 other vulnerabilities.

4.2.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:13:06.981873+00:00	GitLab Importer	Affected by	VCID-3vtw-fru3-gqf7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0258.yml	36.1.3
2025-07-01T18:13:06.871989+00:00	GitLab Importer	Affected by	VCID-2vwe-5wpk-ebdj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0256.yml	36.1.3
2025-07-01T18:13:06.183511+00:00	GitLab Importer	Affected by	VCID-2kvs-ma3p-kkht	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-3635.yml	36.1.3
2025-07-01T18:13:06.060532+00:00	GitLab Importer	Affected by	VCID-au4n-kuzg-h3es	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0815.yml	36.1.3
2025-07-01T18:13:04.835164+00:00	GitLab Importer	Affected by	VCID-ye9t-zkkn-9bc2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0816.yml	36.1.3
2025-07-01T14:31:51.942602+00:00	GHSA Importer	Affected by	VCID-2kvs-ma3p-kkht	https://github.com/advisories/GHSA-hwrc-w5gg-f335	36.1.3
2025-07-01T14:31:50.066935+00:00	GHSA Importer	Affected by	VCID-ye9t-zkkn-9bc2	https://github.com/advisories/GHSA-jg55-3q6h-2ccf	36.1.3
2025-07-01T14:31:49.947022+00:00	GHSA Importer	Affected by	VCID-au4n-kuzg-h3es	https://github.com/advisories/GHSA-c22j-84c7-cm77	36.1.3
2025-07-01T14:31:49.386080+00:00	GHSA Importer	Affected by	VCID-3vtw-fru3-gqf7	https://github.com/advisories/GHSA-74w6-ww7w-45j9	36.1.3
2025-07-01T14:31:49.290298+00:00	GHSA Importer	Affected by	VCID-2vwe-5wpk-ebdj	https://github.com/advisories/GHSA-q45q-5233-229p	36.1.3