VulnerableCode Package Details - pkg:composer/typo3/cms@4.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-2kvs-ma3p-kkht Aliases: CVE-2009-3635 GHSA-hwrc-w5gg-f335	TYPO3 Install Tool Subcomponent Allows Access Using Only a Password's MD5 Hash as a Credential The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.	4.2.10 Affected by 0 other vulnerabilities. 4.3.0-beta2 Affected by 0 other vulnerabilities.
VCID-2vwe-5wpk-ebdj Aliases: CVE-2009-0256 GHSA-q45q-5233-229p	Authentication library in TYPO3 vulnerable to session fixation Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.	4.2.4 Affected by 0 other vulnerabilities.
VCID-3vtw-fru3-gqf7 Aliases: CVE-2009-0258 GHSA-74w6-ww7w-45j9	Indexed Search Engine for TYPO3 Command Execution via Metacharacter Injection The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.	4.2.4 Affected by 0 other vulnerabilities.
VCID-4h31-swcq-suh9 Aliases: CVE-2010-3714 GHSA-w736-qv86-vq94	TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism The jumpUrl (aka access tracking) implementation in `tslib/class.tslib_fe.php` in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors.	4.2.15 Affected by 0 other vulnerabilities. 4.3.7 Affected by 0 other vulnerabilities. 4.4.4 Affected by 0 other vulnerabilities.
VCID-au4n-kuzg-h3es Aliases: CVE-2009-0815 GHSA-c22j-84c7-cm77	TYPO3 leaks a hash secret in an error message The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.	4.2.6 Affected by 0 other vulnerabilities.
VCID-fvcm-r3eg-cfdd Aliases: CVE-2010-5101 GHSA-rmqc-wfjm-3f66	TYPO3 Directory Traversal vulnerability Directory traversal vulnerability in the TypoScript setup in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated administrators to read arbitrary files via unspecified vectors related to the "file inclusion functionality."	4.2.16 Affected by 0 other vulnerabilities. 4.3.9 Affected by 0 other vulnerabilities. 4.4.5 Affected by 0 other vulnerabilities.
VCID-r1et-gsp9-1bbp Aliases: CVE-2010-5099 GHSA-66j3-66cp-6c2m	TYPO3 Path Traversal vulnerability The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php.	4.2.16 Affected by 0 other vulnerabilities. 4.3.9 Affected by 0 other vulnerabilities. 4.4.5 Affected by 0 other vulnerabilities.
VCID-v2e7-fwms-n3ag Aliases: CVE-2010-5103 GHSA-r2w2-2r2x-fpcx	TYPO3 SQL Injection vulnerability SQL injection vulnerability in the list module in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via unspecified vectors.	4.2.16 Affected by 0 other vulnerabilities. 4.3.9 Affected by 0 other vulnerabilities. 4.4.5 Affected by 0 other vulnerabilities.
VCID-ye9t-zkkn-9bc2 Aliases: CVE-2009-0816 GHSA-jg55-3q6h-2ccf	Typo3 Backend XSS Vulnerability An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing them to bypass access control by providing the correct value. There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to.	4.2.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2kvs-ma3p-kkht
Aliases:
CVE-2009-3635
GHSA-hwrc-w5gg-f335

TYPO3 Install Tool Subcomponent Allows Access Using Only a Password's MD5 Hash as a Credential The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.

4.2.10
Affected by 0 other vulnerabilities.

4.3.0-beta2
Affected by 0 other vulnerabilities.

VCID-2vwe-5wpk-ebdj
Aliases:
CVE-2009-0256
GHSA-q45q-5233-229p

Authentication library in TYPO3 vulnerable to session fixation Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.

4.2.4
Affected by 0 other vulnerabilities.

VCID-3vtw-fru3-gqf7
Aliases:
CVE-2009-0258
GHSA-74w6-ww7w-45j9

Indexed Search Engine for TYPO3 Command Execution via Metacharacter Injection The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.

4.2.4
Affected by 0 other vulnerabilities.

VCID-4h31-swcq-suh9
Aliases:
CVE-2010-3714
GHSA-w736-qv86-vq94

TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism The jumpUrl (aka access tracking) implementation in `tslib/class.tslib_fe.php` in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors.

4.2.15
Affected by 0 other vulnerabilities.

4.3.7
Affected by 0 other vulnerabilities.

4.4.4
Affected by 0 other vulnerabilities.

VCID-au4n-kuzg-h3es
Aliases:
CVE-2009-0815
GHSA-c22j-84c7-cm77

TYPO3 leaks a hash secret in an error message The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.

4.2.6
Affected by 0 other vulnerabilities.

VCID-fvcm-r3eg-cfdd
Aliases:
CVE-2010-5101
GHSA-rmqc-wfjm-3f66

TYPO3 Directory Traversal vulnerability Directory traversal vulnerability in the TypoScript setup in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated administrators to read arbitrary files via unspecified vectors related to the "file inclusion functionality."

4.2.16
Affected by 0 other vulnerabilities.

4.3.9
Affected by 0 other vulnerabilities.

4.4.5
Affected by 0 other vulnerabilities.

VCID-r1et-gsp9-1bbp
Aliases:
CVE-2010-5099
GHSA-66j3-66cp-6c2m

TYPO3 Path Traversal vulnerability The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php.

4.2.16
Affected by 0 other vulnerabilities.

4.3.9
Affected by 0 other vulnerabilities.

4.4.5
Affected by 0 other vulnerabilities.

VCID-v2e7-fwms-n3ag
Aliases:
CVE-2010-5103
GHSA-r2w2-2r2x-fpcx

TYPO3 SQL Injection vulnerability SQL injection vulnerability in the list module in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via unspecified vectors.

4.2.16
Affected by 0 other vulnerabilities.

4.3.9
Affected by 0 other vulnerabilities.

4.4.5
Affected by 0 other vulnerabilities.

VCID-ye9t-zkkn-9bc2
Aliases:
CVE-2009-0816
GHSA-jg55-3q6h-2ccf

Typo3 Backend XSS Vulnerability An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing them to bypass access control by providing the correct value. There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to.

4.2.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-04T13:55:11.294519+00:00	GitLab Importer	Affected by	VCID-4h31-swcq-suh9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2010-3714.yml	37.0.0
2025-07-04T13:55:08.908987+00:00	GitLab Importer	Affected by	VCID-v2e7-fwms-n3ag	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2010-5103.yml	37.0.0
2025-07-01T18:13:49.439096+00:00	GitLab Importer	Affected by	VCID-fvcm-r3eg-cfdd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2010-5101.yml	36.1.3
2025-07-01T18:13:45.632209+00:00	GitLab Importer	Affected by	VCID-r1et-gsp9-1bbp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2010-5099.yml	36.1.3
2025-07-01T18:13:06.985123+00:00	GitLab Importer	Affected by	VCID-3vtw-fru3-gqf7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0258.yml	36.1.3
2025-07-01T18:13:06.875859+00:00	GitLab Importer	Affected by	VCID-2vwe-5wpk-ebdj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0256.yml	36.1.3
2025-07-01T18:13:06.185801+00:00	GitLab Importer	Affected by	VCID-2kvs-ma3p-kkht	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-3635.yml	36.1.3
2025-07-01T18:13:06.062486+00:00	GitLab Importer	Affected by	VCID-au4n-kuzg-h3es	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0815.yml	36.1.3
2025-07-01T18:13:04.836804+00:00	GitLab Importer	Affected by	VCID-ye9t-zkkn-9bc2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0816.yml	36.1.3
2025-07-01T14:31:51.837371+00:00	GHSA Importer	Affected by	VCID-2kvs-ma3p-kkht	https://github.com/advisories/GHSA-hwrc-w5gg-f335	36.1.3
2025-07-01T14:31:50.087141+00:00	GHSA Importer	Affected by	VCID-ye9t-zkkn-9bc2	https://github.com/advisories/GHSA-jg55-3q6h-2ccf	36.1.3
2025-07-01T14:31:49.988080+00:00	GHSA Importer	Affected by	VCID-au4n-kuzg-h3es	https://github.com/advisories/GHSA-c22j-84c7-cm77	36.1.3
2025-07-01T14:31:49.337058+00:00	GHSA Importer	Affected by	VCID-3vtw-fru3-gqf7	https://github.com/advisories/GHSA-74w6-ww7w-45j9	36.1.3
2025-07-01T14:31:49.243972+00:00	GHSA Importer	Affected by	VCID-2vwe-5wpk-ebdj	https://github.com/advisories/GHSA-q45q-5233-229p	36.1.3