Search...

Debian DSA-1926-1 : typo3-src - several vulnerabilities

2010-02-24T00:00:00

ID DEBIAN_DSA-1926.NASL
Type nessus
Reporter This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2010-02-24T00:00:00

Description

Several remote vulnerabilities have been discovered in the TYPO3 web content management framework. The Common Vulnerabilities and Exposures project identifies the following problems :

CVE-2009-3628 The Backend subcomponent allows remote authenticated users to determine an encryption key via crafted input to a form field.

CVE-2009-3629 Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent allow remote authenticated users to inject arbitrary web script or HTML.

CVE-2009-3630 The Backend subcomponent allows remote authenticated users to place arbitrary websites in TYPO3 backend framesets via crafted parameters.

CVE-2009-3631 The Backend subcomponent, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.

CVE-2009-3632 SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent allows remote authenticated users to execute arbitrary SQL commands.

CVE-2009-3633 Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script.

CVE-2009-3634 Cross-site scripting (XSS) vulnerability in the Frontend Login Box (aka felogin) subcomponent allows remote attackers to inject arbitrary web script or HTML.

CVE-2009-3635 The Install Tool subcomponent allows remote attackers to gain access by using only the password's md5 hash as a credential.

CVE-2009-3636 Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent allows remote attackers to inject arbitrary web script or HTML.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1926. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(44791);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2009-3628", "CVE-2009-3629", "CVE-2009-3630", "CVE-2009-3631", "CVE-2009-3632", "CVE-2009-3633", "CVE-2009-3634", "CVE-2009-3635", "CVE-2009-3636");
  script_xref(name:"DSA", value:"1926");

  script_name(english:"Debian DSA-1926-1 : typo3-src - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several remote vulnerabilities have been discovered in the TYPO3 web
content management framework. The Common Vulnerabilities and Exposures
project identifies the following problems :

  - CVE-2009-3628
    The Backend subcomponent allows remote authenticated
    users to determine an encryption key via crafted input
    to a form field.

  - CVE-2009-3629
    Multiple cross-site scripting (XSS) vulnerabilities in
    the Backend subcomponent allow remote authenticated
    users to inject arbitrary web script or HTML.

  - CVE-2009-3630
    The Backend subcomponent allows remote authenticated
    users to place arbitrary websites in TYPO3 backend
    framesets via crafted parameters.

  - CVE-2009-3631
    The Backend subcomponent, when the DAM extension or ftp
    upload is enabled, allows remote authenticated users to
    execute arbitrary commands via shell metacharacters in a
    filename.

  - CVE-2009-3632
    SQL injection vulnerability in the traditional frontend
    editing feature in the Frontend Editing subcomponent
    allows remote authenticated users to execute arbitrary
    SQL commands.

  - CVE-2009-3633
    Cross-site scripting (XSS) vulnerability allows remote
    attackers to inject arbitrary web script.

  - CVE-2009-3634
    Cross-site scripting (XSS) vulnerability in the Frontend
    Login Box (aka felogin) subcomponent allows remote
    attackers to inject arbitrary web script or HTML.

  - CVE-2009-3635
    The Install Tool subcomponent allows remote attackers to
    gain access by using only the password's md5 hash as a
    credential.

  - CVE-2009-3636
    Cross-site scripting (XSS) vulnerability in the Install
    Tool subcomponent allows remote attackers to inject
    arbitrary web script or HTML."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552020"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-3628"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-3629"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-3630"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-3631"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-3632"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-3633"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-3634"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-3635"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-3636"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2009/dsa-1926"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the typo3-src package.

For the old stable distribution (etch), these problems have been fixed
in version 4.0.2+debian-9.

For the stable distribution (lenny), these problems have been fixed in
version 4.2.5-1+lenny2."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
  script_cwe_id(79, 89, 94, 200, 287, 352);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:typo3-src");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2009/11/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"4.0", prefix:"typo3", reference:"4.0.2+debian-9")) flag++;
if (deb_check(release:"4.0", prefix:"typo3-src-4.0", reference:"4.0.2+debian-9")) flag++;
if (deb_check(release:"5.0", prefix:"typo3", reference:"4.2.5-1+lenny2")) flag++;
if (deb_check(release:"5.0", prefix:"typo3-src-4.2", reference:"4.2.5-1+lenny2")) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "DEBIAN_DSA-1926.NASL", "bulletinFamily": "scanner", "title": "Debian DSA-1926-1 : typo3-src - several vulnerabilities", "description": "Several remote vulnerabilities have been discovered in the TYPO3 web\ncontent management framework. The Common Vulnerabilities and Exposures\nproject identifies the following problems :\n\n - CVE-2009-3628\n The Backend subcomponent allows remote authenticated\n users to determine an encryption key via crafted input\n to a form field.\n\n - CVE-2009-3629\n Multiple cross-site scripting (XSS) vulnerabilities in\n the Backend subcomponent allow remote authenticated\n users to inject arbitrary web script or HTML.\n\n - CVE-2009-3630\n The Backend subcomponent allows remote authenticated\n users to place arbitrary websites in TYPO3 backend\n framesets via crafted parameters.\n\n - CVE-2009-3631\n The Backend subcomponent, when the DAM extension or ftp\n upload is enabled, allows remote authenticated users to\n execute arbitrary commands via shell metacharacters in a\n filename.\n\n - CVE-2009-3632\n SQL injection vulnerability in the traditional frontend\n editing feature in the Frontend Editing subcomponent\n allows remote authenticated users to execute arbitrary\n SQL commands.\n\n - CVE-2009-3633\n Cross-site scripting (XSS) vulnerability allows remote\n attackers to inject arbitrary web script.\n\n - CVE-2009-3634\n Cross-site scripting (XSS) vulnerability in the Frontend\n Login Box (aka felogin) subcomponent allows remote\n attackers to inject arbitrary web script or HTML.\n\n - CVE-2009-3635\n The Install Tool subcomponent allows remote attackers to\n gain access by using only the password's md5 hash as a\n credential.\n\n - CVE-2009-3636\n Cross-site scripting (XSS) vulnerability in the Install\n Tool subcomponent allows remote attackers to inject\n arbitrary web script or HTML.", "published": "2010-02-24T00:00:00", "modified": "2010-02-24T00:00:00", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/44791", "reporter": "This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.debian.org/security/2009/dsa-1926", "https://security-tracker.debian.org/tracker/CVE-2009-3633", "https://security-tracker.debian.org/tracker/CVE-2009-3636", "https://security-tracker.debian.org/tracker/CVE-2009-3630", "https://security-tracker.debian.org/tracker/CVE-2009-3632", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552020", "https://security-tracker.debian.org/tracker/CVE-2009-3628", "https://security-tracker.debian.org/tracker/CVE-2009-3629", "https://security-tracker.debian.org/tracker/CVE-2009-3635", "https://security-tracker.debian.org/tracker/CVE-2009-3631", "https://security-tracker.debian.org/tracker/CVE-2009-3634"], "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636", "CVE-2009-3634"], "type": "nessus", "lastseen": "2021-01-06T09:45:41", "edition": 28, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310803991", "OPENVAS:1361412562310803990", "OPENVAS:66154", "OPENVAS:66206", "OPENVAS:136141256231066206", "OPENVAS:136141256231066154"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10371", "SECURITYVULNS:DOC:22737"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1926-1:5437C"]}, {"type": "freebsd", "idList": ["6693BAD2-CA50-11DE-8EE8-00215C6A37BB"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_6693BAD2CA5011DE8EE800215C6A37BB.NASL"]}, {"type": "cve", "idList": ["CVE-2009-3635", "CVE-2009-3633", "CVE-2009-3628", "CVE-2009-3631", "CVE-2009-3629", "CVE-2009-3634", "CVE-2009-3632", "CVE-2009-3630", "CVE-2009-3636"]}], "modified": "2021-01-06T09:45:41", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2021-01-06T09:45:41", "rev": 2}, "vulnersScore": 7.1}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1926. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(44791);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2009-3628\", \"CVE-2009-3629\", \"CVE-2009-3630\", \"CVE-2009-3631\", \"CVE-2009-3632\", \"CVE-2009-3633\", \"CVE-2009-3634\", \"CVE-2009-3635\", \"CVE-2009-3636\");\n script_xref(name:\"DSA\", value:\"1926\");\n\n script_name(english:\"Debian DSA-1926-1 : typo3-src - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several remote vulnerabilities have been discovered in the TYPO3 web\ncontent management framework. The Common Vulnerabilities and Exposures\nproject identifies the following problems :\n\n - CVE-2009-3628\n The Backend subcomponent allows remote authenticated\n users to determine an encryption key via crafted input\n to a form field.\n\n - CVE-2009-3629\n Multiple cross-site scripting (XSS) vulnerabilities in\n the Backend subcomponent allow remote authenticated\n users to inject arbitrary web script or HTML.\n\n - CVE-2009-3630\n The Backend subcomponent allows remote authenticated\n users to place arbitrary websites in TYPO3 backend\n framesets via crafted parameters.\n\n - CVE-2009-3631\n The Backend subcomponent, when the DAM extension or ftp\n upload is enabled, allows remote authenticated users to\n execute arbitrary commands via shell metacharacters in a\n filename.\n\n - CVE-2009-3632\n SQL injection vulnerability in the traditional frontend\n editing feature in the Frontend Editing subcomponent\n allows remote authenticated users to execute arbitrary\n SQL commands.\n\n - CVE-2009-3633\n Cross-site scripting (XSS) vulnerability allows remote\n attackers to inject arbitrary web script.\n\n - CVE-2009-3634\n Cross-site scripting (XSS) vulnerability in the Frontend\n Login Box (aka felogin) subcomponent allows remote\n attackers to inject arbitrary web script or HTML.\n\n - CVE-2009-3635\n The Install Tool subcomponent allows remote attackers to\n gain access by using only the password's md5 hash as a\n credential.\n\n - CVE-2009-3636\n Cross-site scripting (XSS) vulnerability in the Install\n Tool subcomponent allows remote attackers to inject\n arbitrary web script or HTML.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552020\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-3628\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-3629\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-3630\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-3631\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-3632\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-3633\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-3634\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-3635\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-3636\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2009/dsa-1926\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the typo3-src package.\n\nFor the old stable distribution (etch), these problems have been fixed\nin version 4.0.2+debian-9.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 4.2.5-1+lenny2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_cwe_id(79, 89, 94, 200, 287, 352);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:typo3-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"typo3\", reference:\"4.0.2+debian-9\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"typo3-src-4.0\", reference:\"4.0.2+debian-9\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"typo3\", reference:\"4.2.5-1+lenny2\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"typo3-src-4.2\", reference:\"4.2.5-1+lenny2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Debian Local Security Checks", "pluginID": "44791", "cpe": ["cpe:/o:debian:debian_linux:4.0", "p-cpe:/a:debian:debian_linux:typo3-src", "cpe:/o:debian:debian_linux:5.0"], "scheme": null}

{"openvas": [{"lastseen": "2017-07-24T12:56:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636", "CVE-2009-3634"], "description": "The remote host is missing an update to typo3-src\nannounced via advisory DSA 1926-1.", "modified": "2017-07-07T00:00:00", "published": "2009-11-11T00:00:00", "id": "OPENVAS:66206", "href": "http://plugins.openvas.org/nasl.php?oid=66206", "type": "openvas", "title": "Debian Security Advisory DSA 1926-1 (typo3-src)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1926_1.nasl 6615 2017-07-07 12:09:52Z cfischer $\n# Description: Auto-generated from advisory DSA 1926-1 (typo3-src)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several remote vulnerabilities have been discovered in the TYPO3 web\ncontent management framework. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2009-3628\n\nThe Backend subcomponent allows remote authenticated users to\ndetermine an encryption key via crafted input to a form field.\n\nCVE-2009-3629\n\nMultiple cross-site scripting (XSS) vulnerabilities in the\nBackend subcomponent allow remote authenticated users to inject\narbitrary web script or HTML.\n\nCVE-2009-3630\n\nThe Backend subcomponent allows remote authenticated users to\nplace arbitrary web sites in TYPO3 backend framesets via\ncrafted parameters.\n\nCVE-2009-3631\n\nThe Backend subcomponent, when the DAM extension or ftp upload\nis enabled, allows remote authenticated users to execute\narbitrary commands via shell metacharacters in a filename.\n\nCVE-2009-3632\n\nSQL injection vulnerability in the traditional frontend editing\nfeature in the Frontend Editing subcomponent allows remote\nauthenticated users to execute arbitrary SQL commands.\n\nCVE-2009-3633\n\nCross-site scripting (XSS) vulnerability in allows remote\nattackers to inject arbitrary web script.\n\nCVE-2009-3634\n\nCross-site scripting (XSS) vulnerability in the Frontend Login Box\n(aka felogin) subcomponent allows remote attackers to inject\narbitrary web script or HTML.\n\nCVE-2009-3635\n\nThe Install Tool subcomponent allows remote attackers to gain access\nby using only the password's md5 hash as a credential.\n\nCVE-2009-3636\n\nCross-site scripting (XSS) vulnerability in the Install Tool\nsubcomponen allows remote attackers to inject arbitrary web script\nor HTML.\n\nFor the old stable distribution (etch), these problems have been fixed\nin version 4.0.2+debian-9.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 4.2.5-1+lenny2.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 4.2.10-1.\n\nWe recommend that you upgrade your typo3-src package.\";\ntag_summary = \"The remote host is missing an update to typo3-src\nannounced via advisory DSA 1926-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201926-1\";\n\n\nif(description)\n{\n script_id(66206);\n script_version(\"$Revision: 6615 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-3628\", \"CVE-2009-3629\", \"CVE-2009-3630\", \"CVE-2009-3631\", \"CVE-2009-3632\", \"CVE-2009-3633\", \"CVE-2009-3634\", \"CVE-2009-3635\", \"CVE-2009-3636\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1926-1 (typo3-src)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"typo3-src-4.0\", ver:\"4.0.2+debian-9\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"typo3\", ver:\"4.0.2+debian-9\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"typo3-src-4.2\", ver:\"4.2.5-1+lenny2\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"typo3\", ver:\"4.2.5-1+lenny2\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:39:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636", "CVE-2009-3634"], "description": "The remote host is missing an update to typo3-src\nannounced via advisory DSA 1926-1.", "modified": "2018-04-06T00:00:00", "published": "2009-11-11T00:00:00", "id": "OPENVAS:136141256231066206", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066206", "type": "openvas", "title": "Debian Security Advisory DSA 1926-1 (typo3-src)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1926_1.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory DSA 1926-1 (typo3-src)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several remote vulnerabilities have been discovered in the TYPO3 web\ncontent management framework. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2009-3628\n\nThe Backend subcomponent allows remote authenticated users to\ndetermine an encryption key via crafted input to a form field.\n\nCVE-2009-3629\n\nMultiple cross-site scripting (XSS) vulnerabilities in the\nBackend subcomponent allow remote authenticated users to inject\narbitrary web script or HTML.\n\nCVE-2009-3630\n\nThe Backend subcomponent allows remote authenticated users to\nplace arbitrary web sites in TYPO3 backend framesets via\ncrafted parameters.\n\nCVE-2009-3631\n\nThe Backend subcomponent, when the DAM extension or ftp upload\nis enabled, allows remote authenticated users to execute\narbitrary commands via shell metacharacters in a filename.\n\nCVE-2009-3632\n\nSQL injection vulnerability in the traditional frontend editing\nfeature in the Frontend Editing subcomponent allows remote\nauthenticated users to execute arbitrary SQL commands.\n\nCVE-2009-3633\n\nCross-site scripting (XSS) vulnerability in allows remote\nattackers to inject arbitrary web script.\n\nCVE-2009-3634\n\nCross-site scripting (XSS) vulnerability in the Frontend Login Box\n(aka felogin) subcomponent allows remote attackers to inject\narbitrary web script or HTML.\n\nCVE-2009-3635\n\nThe Install Tool subcomponent allows remote attackers to gain access\nby using only the password's md5 hash as a credential.\n\nCVE-2009-3636\n\nCross-site scripting (XSS) vulnerability in the Install Tool\nsubcomponen allows remote attackers to inject arbitrary web script\nor HTML.\n\nFor the old stable distribution (etch), these problems have been fixed\nin version 4.0.2+debian-9.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 4.2.5-1+lenny2.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 4.2.10-1.\n\nWe recommend that you upgrade your typo3-src package.\";\ntag_summary = \"The remote host is missing an update to typo3-src\nannounced via advisory DSA 1926-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201926-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66206\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-3628\", \"CVE-2009-3629\", \"CVE-2009-3630\", \"CVE-2009-3631\", \"CVE-2009-3632\", \"CVE-2009-3633\", \"CVE-2009-3634\", \"CVE-2009-3635\", \"CVE-2009-3636\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1926-1 (typo3-src)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"typo3-src-4.0\", ver:\"4.0.2+debian-9\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"typo3\", ver:\"4.0.2+debian-9\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"typo3-src-4.2\", ver:\"4.2.5-1+lenny2\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"typo3\", ver:\"4.2.5-1+lenny2\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636", "CVE-2009-3634"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2018-04-06T00:00:00", "published": "2009-11-11T00:00:00", "id": "OPENVAS:136141256231066154", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066154", "type": "openvas", "title": "FreeBSD Ports: typo3", "sourceData": "#\n#VID 6693bad2-ca50-11de-8ee8-00215c6a37bb\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 6693bad2-ca50-11de-8ee8-00215c6a37bb\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: typo3\n\nCVE-2009-3628\nThe Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before\n4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote\nauthenticated users to determine an encryption key via crafted input\nto a tt_content form element.\n\nCVE-2009-3629\nMultiple cross-site scripting (XSS) vulnerabilities in the Backend\nsubcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x\nbefore 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated\nusers to inject arbitrary web script or HTML via unspecified vectors.\n\nCVE-2009-3630\nThe Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before\n4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote\nauthenticated users to place arbitrary web sites in TYPO3 backend\nframesets via crafted parameters, related to a 'frame hijacking'\nissue.\n\nCVE-2009-3631\nThe Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before\n4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM\nextension or ftp upload is enabled, allows remote authenticated users\nto execute arbitrary commands via shell metacharacters in a filename.\n\nCVE-2009-3632\nSQL injection vulnerability in the traditional frontend editing\nfeature in the Frontend Editing subcomponent in TYPO3 4.0.13 and\nearlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before\n4.3beta2 allows remote authenticated users to execute arbitrary SQL\ncommands via unspecified parameters.\n\nCVE-2009-3633\nCross-site scripting (XSS) vulnerability in the\nt3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier,\n4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2\nallows remote attackers to inject arbitrary web script or HTML via\nunspecified vectors related to the sanitizing algorithm.\n\nCVE-2009-3634\nCross-site scripting (XSS) vulnerability in the Frontend Login Box\n(aka felogin) subcomponent in TYPO3 4.2.0 through 4.2.6 allows remote\nattackers to inject arbitrary web script or HTML via unspecified\nparameters.\n\nCVE-2009-3635\nThe Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x\nbefore 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows\nremote attackers to gain access by using only the password's md5 hash\nas a credential.\n\nCVE-2009-3636\nCross-site scripting (XSS) vulnerability in the Install Tool\nsubcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x\nbefore 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to\ninject arbitrary web script or HTML via unspecified parameters.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/\nhttp://secunia.com/advisories/37122/\nhttp://www.vuxml.org/freebsd/6693bad2-ca50-11de-8ee8-00215c6a37bb.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66154\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-3628\", \"CVE-2009-3629\", \"CVE-2009-3630\", \"CVE-2009-3631\", \"CVE-2009-3632\", \"CVE-2009-3633\", \"CVE-2009-3634\", \"CVE-2009-3635\", \"CVE-2009-3636\");\n script_bugtraq_id(36801);\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: typo3\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"typo3\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.2.10\")<0) {\n txt += 'Package typo3 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:13:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636", "CVE-2009-3634"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-12-28T00:00:00", "published": "2009-11-11T00:00:00", "id": "OPENVAS:66154", "href": "http://plugins.openvas.org/nasl.php?oid=66154", "type": "openvas", "title": "FreeBSD Ports: typo3", "sourceData": "#\n#VID 6693bad2-ca50-11de-8ee8-00215c6a37bb\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 6693bad2-ca50-11de-8ee8-00215c6a37bb\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: typo3\n\nCVE-2009-3628\nThe Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before\n4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote\nauthenticated users to determine an encryption key via crafted input\nto a tt_content form element.\n\nCVE-2009-3629\nMultiple cross-site scripting (XSS) vulnerabilities in the Backend\nsubcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x\nbefore 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated\nusers to inject arbitrary web script or HTML via unspecified vectors.\n\nCVE-2009-3630\nThe Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before\n4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote\nauthenticated users to place arbitrary web sites in TYPO3 backend\nframesets via crafted parameters, related to a 'frame hijacking'\nissue.\n\nCVE-2009-3631\nThe Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before\n4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM\nextension or ftp upload is enabled, allows remote authenticated users\nto execute arbitrary commands via shell metacharacters in a filename.\n\nCVE-2009-3632\nSQL injection vulnerability in the traditional frontend editing\nfeature in the Frontend Editing subcomponent in TYPO3 4.0.13 and\nearlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before\n4.3beta2 allows remote authenticated users to execute arbitrary SQL\ncommands via unspecified parameters.\n\nCVE-2009-3633\nCross-site scripting (XSS) vulnerability in the\nt3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier,\n4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2\nallows remote attackers to inject arbitrary web script or HTML via\nunspecified vectors related to the sanitizing algorithm.\n\nCVE-2009-3634\nCross-site scripting (XSS) vulnerability in the Frontend Login Box\n(aka felogin) subcomponent in TYPO3 4.2.0 through 4.2.6 allows remote\nattackers to inject arbitrary web script or HTML via unspecified\nparameters.\n\nCVE-2009-3635\nThe Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x\nbefore 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows\nremote attackers to gain access by using only the password's md5 hash\nas a credential.\n\nCVE-2009-3636\nCross-site scripting (XSS) vulnerability in the Install Tool\nsubcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x\nbefore 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to\ninject arbitrary web script or HTML via unspecified parameters.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/\nhttp://secunia.com/advisories/37122/\nhttp://www.vuxml.org/freebsd/6693bad2-ca50-11de-8ee8-00215c6a37bb.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(66154);\n script_version(\"$Revision: 4865 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-28 17:16:43 +0100 (Wed, 28 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-3628\", \"CVE-2009-3629\", \"CVE-2009-3630\", \"CVE-2009-3631\", \"CVE-2009-3632\", \"CVE-2009-3633\", \"CVE-2009-3634\", \"CVE-2009-3635\", \"CVE-2009-3636\");\n script_bugtraq_id(36801);\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: typo3\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"typo3\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.2.10\")<0) {\n txt += 'Package typo3 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636"], "description": "This host is installed with TYPO3 and is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-12-27T00:00:00", "id": "OPENVAS:1361412562310803990", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803990", "type": "openvas", "title": "TYPO3 Multiple Vulnerabilities Oct09", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_typo3_mult_vuln_oct_09.nasl 11867 2018-10-12 10:48:11Z cfischer $\n#\n# TYPO3 Multiple Vulnerabilities Oct09\n#\n# Authors:\n# Shashi Kiran N <nskiran@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:typo3:typo3\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803990\");\n script_version(\"$Revision: 11867 $\");\n script_cve_id(\"CVE-2009-3628\", \"CVE-2009-3629\", \"CVE-2009-3630\", \"CVE-2009-3631\",\n \"CVE-2009-3632\", \"CVE-2009-3633\", \"CVE-2009-3635\", \"CVE-2009-3636\");\n script_bugtraq_id(36801);\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-27 12:45:17 +0530 (Fri, 27 Dec 2013)\");\n script_name(\"TYPO3 Multiple Vulnerabilities Oct09\");\n\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to steal the\nvictim's cookie-based authentication credentials or execute arbitrary code.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Multiple error exists in the application,\n\n - Multiple errors in Backend subcomponent, which fails to validate user\nsupplied input properly.\n\n - An error exist in Frontend Editing, which fails to sanitize URL parameters\nproperly.\n\n - An error exist in API function t3lib_div::quoteJSvalue, which fails to\nvalidate user supplied input properly.\n\n - Multiple error exist in Install Tool, which allows login with know md5 hash of\nInstall Tool password.\");\n script_tag(name:\"solution\", value:\"Upgrade to TYPO3 version 4.1.13, 4.2.10, 4.3beta2 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is installed with TYPO3 and is prone to multiple vulnerabilities.\");\n script_tag(name:\"affected\", value:\"TYPO3 versions 4.0.13 and below, 4.1.0 to 4.1.12, 4.2.0 to 4.2.9 and 4.3.0beta1\");\n\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/53917\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/37122\");\n script_xref(name:\"URL\", value:\"http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2009-016/\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_typo3_detect.nasl\");\n script_mandatory_keys(\"TYPO3/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\n\nif(!typoPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(typoVer = get_app_version(cpe:CPE, port:typoPort))\n{\n if( typoVer !~ \"[0-9]+\\.[0-9]+\\.[0-9]+\" ) exit( 0 ); # Version is not exact enough\n if(version_is_less(version:typoVer, test_version:\"4.1.13\") ||\n version_in_range(version:typoVer, test_version:\"4.2.0\", test_version2:\"4.2.9\"))\n {\n security_message(typoPort);\n exit(0);\n }\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-22T17:03:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3634"], "description": "This host is installed with TYPO3 and is prone to cross site scripting\nvulnerability.", "modified": "2020-04-20T00:00:00", "published": "2013-12-30T00:00:00", "id": "OPENVAS:1361412562310803991", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803991", "type": "openvas", "title": "TYPO3 felogin Cross Site Scripting Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# TYPO3 felogin Cross Site Scripting Vulnerability\n#\n# Authors:\n# Shashi Kiran N <nskiran@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:typo3:typo3\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803991\");\n script_version(\"2020-04-20T13:31:49+0000\");\n script_cve_id(\"CVE-2009-3634\");\n script_bugtraq_id(36801);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"last_modification\", value:\"2020-04-20 13:31:49 +0000 (Mon, 20 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-12-30 14:55:43 +0530 (Mon, 30 Dec 2013)\");\n script_name(\"TYPO3 felogin Cross Site Scripting Vulnerability\");\n\n\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to steal the victim's\ncookie-based authentication credentials.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"An error exist in the front-end login box (felogin), which fails to validate\ncertain user inputs\");\n script_tag(name:\"solution\", value:\"Upgrade to TYPO3 version 4.2.7 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is installed with TYPO3 and is prone to cross site scripting\nvulnerability.\");\n script_tag(name:\"affected\", value:\"TYPO3 versions 4.2.0 to 4.2.6\");\n\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/53926\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/37122\");\n script_xref(name:\"URL\", value:\"http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2009-016/\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_typo3_detect.nasl\");\n script_mandatory_keys(\"TYPO3/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\n\nif(!typoPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(typoVer = get_app_version(cpe:CPE, port:typoPort))\n{\n if( typoVer !~ \"[0-9]+\\.[0-9]+\\.[0-9]+\" ) exit( 0 ); # Version is not exact enough\n if(version_in_range(version:typoVer, test_version:\"4.2.0\", test_version2:\"4.2.6\"))\n {\n report = report_fixed_ver(installed_version:typoVer, vulnerable_range:\"4.2.0 - 4.2.6\");\n security_message(port:typoPort, data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636", "CVE-2009-3634"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1926-1 security@debian.org\r\nhttp://www.debian.org/security/ Thijs Kinkhorst\r\nNovember 4, 2009 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : typo3-src\r\nVulnerability : several\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE Id(s) : CVE-2009-3628 CVE-2009-3629 CVE-2009-3630 CVE-2009-3631\r\n CVE-2009-3632 CVE-2009-3633 CVE-2009-3634 CVE-2009-3635\r\n CVE-2009-3636\r\nDebian Bug : 552020\r\n\r\nSeveral remote vulnerabilities have been discovered in the TYPO3 web\r\ncontent management framework. The Common Vulnerabilities and Exposures\r\nproject identifies the following problems:\r\n\r\nCVE-2009-3628\r\n\r\n The Backend subcomponent allows remote authenticated users to\r\n determine an encryption key via crafted input to a form field.\r\n\r\nCVE-2009-3629\r\n\r\n Multiple cross-site scripting (XSS) vulnerabilities in the\r\n Backend subcomponent allow remote authenticated users to inject\r\n arbitrary web script or HTML.\r\n\r\nCVE-2009-3630\r\n\r\n The Backend subcomponent allows remote authenticated users to\r\n place arbitrary web sites in TYPO3 backend framesets via\r\n crafted parameters.\r\n\r\nCVE-2009-3631\r\n\r\n The Backend subcomponent, when the DAM extension or ftp upload\r\n is enabled, allows remote authenticated users to execute\r\n arbitrary commands via shell metacharacters in a filename.\r\n\r\nCVE-2009-3632\r\n\r\n SQL injection vulnerability in the traditional frontend editing\r\n feature in the Frontend Editing subcomponent allows remote\r\n authenticated users to execute arbitrary SQL commands.\r\n\r\nCVE-2009-3633\r\n\r\n Cross-site scripting (XSS) vulnerability in allows remote\r\n attackers to inject arbitrary web script.\r\n\r\nCVE-2009-3634\r\n\r\n Cross-site scripting (XSS) vulnerability in the Frontend Login Box\r\n (aka felogin) subcomponent allows remote attackers to inject\r\n arbitrary web script or HTML.\r\n\r\nCVE-2009-3635\r\n\r\n The Install Tool subcomponent allows remote attackers to gain access\r\n by using only the password's md5 hash as a credential.\r\n\r\nCVE-2009-3636\r\n\r\n Cross-site scripting (XSS) vulnerability in the Install Tool\r\n subcomponen allows remote attackers to inject arbitrary web script\r\n or HTML.\r\n\r\nFor the old stable distribution (etch), these problems have been fixed\r\nin version 4.0.2+debian-9.\r\n\r\nFor the stable distribution (lenny), these problems have been fixed in\r\nversion 4.2.5-1+lenny2.\r\n\r\nFor the unstable distribution (sid), these problems have been fixed in\r\nversion 4.2.10-1.\r\n\r\nWe recommend that you upgrade your typo3-src package.\r\n\r\nUpgrade instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\n\r\nDebian GNU/Linux 4.0 alias etch\r\n- -------------------------------\r\n\r\nArchitecture independent packages:\r\n\r\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src-4.0_4.0.2+debian-9_all.deb\r\n Size/MD5 checksum: 7696110 030c0d0fa407a74b5d48a24d280e2ce5\r\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3_4.0.2+debian-9_all.deb\r\n Size/MD5 checksum: 77256 ba868af9c67e56ba346233e3473b94c6\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-9.diff.gz\r\n Size/MD5 checksum: 32793 a0f7dee86225e89e4914633d2401e232\r\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian.orig.tar.gz\r\n Size/MD5 checksum: 7683527 be509391b0e4d24278c14100c09dc673\r\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-9.dsc\r\n Size/MD5 checksum: 610 522ed0d81b54572f24b984a8448d594b\r\n\r\nDebian GNU/Linux 5.0 alias lenny\r\n- --------------------------------\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.2.5.orig.tar.gz\r\n Size/MD5 checksum: 8144727 75b2e5db6ac586fb6176f329be452159\r\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.2.5-1+lenny2.diff.gz\r\n Size/MD5 checksum: 122866 d4bce174f2ea2a94834cc0d250b51495\r\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.2.5-1+lenny2.dsc\r\n Size/MD5 checksum: 1008 8980c630529cf34c44f491e4ee6e6e07\r\n\r\nArchitecture independent packages:\r\n\r\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src-4.2_4.2.5-1+lenny2_all.deb\r\n Size/MD5 checksum: 8201724 ea85991b8e26953d7ff43080458cc766\r\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3_4.2.5-1+lenny2_all.deb\r\n Size/MD5 checksum: 133854 04e43a0b661c56a307a06f282f304e43\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\n\r\niQEcBAEBAgAGBQJK8dbCAAoJECIIoQCMVaAcu6cH/RM9LZkCTXR9kr6i2XjyiD4S\r\n5YyMDoH9634YG6FGy+BawPpC5Bwa+hFNNZylUVu0W1oat5tHSOH1SdaMw++AU1GV\r\nBR4ICxCO7E877JyQNSCBqELrMqCJcpH24Afq5VEbCZJiVOmWAd6M45hnqdMPY63r\r\np7MCwsw/iaZuwD3BiVutwMxQ9baejxfbRz4iJbd/K2HzV3+mHz5Xz9LSy0BBpC4e\r\nTN5faFnhwl8LdFvnf9gziGp9AVfSI8/RLDVqDRNSBgLB7qZgnQiKSQ+2fO708llA\r\naJXwGa8WmgIRMVo3oEXKQ/74K9B3RmKppv+szXEiFnhZ6l2J3AzMxUd4sBFZWUI=\r\n=fwRT\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-11-05T00:00:00", "published": "2009-11-05T00:00:00", "id": "SECURITYVULNS:DOC:22737", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22737", "title": "[SECURITY] [DSA 1926-1] New TYPO3 packages fix several vulnerabilities", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:34", "bulletinFamily": "software", "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636", "CVE-2009-3634"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2009-11-05T00:00:00", "published": "2009-11-05T00:00:00", "id": "SECURITYVULNS:VULN:10371", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10371", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-11-11T13:29:36", "bulletinFamily": "unix", "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636", "CVE-2009-3634"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1926-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nNovember 4, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : typo3-src\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2009-3628 CVE-2009-3629 CVE-2009-3630 CVE-2009-3631\n CVE-2009-3632 CVE-2009-3633 CVE-2009-3634 CVE-2009-3635\n CVE-2009-3636\nDebian Bug : 552020\n\nSeveral remote vulnerabilities have been discovered in the TYPO3 web\ncontent management framework. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2009-3628\n\n The Backend subcomponent allows remote authenticated users to\n determine an encryption key via crafted input to a form field.\n\nCVE-2009-3629\n\n Multiple cross-site scripting (XSS) vulnerabilities in the\n Backend subcomponent allow remote authenticated users to inject\n arbitrary web script or HTML.\n\nCVE-2009-3630\n\n The Backend subcomponent allows remote authenticated users to\n place arbitrary web sites in TYPO3 backend framesets via\n crafted parameters.\n\nCVE-2009-3631\n\n The Backend subcomponent, when the DAM extension or ftp upload\n is enabled, allows remote authenticated users to execute\n arbitrary commands via shell metacharacters in a filename.\n\nCVE-2009-3632\n\n SQL injection vulnerability in the traditional frontend editing\n feature in the Frontend Editing subcomponent allows remote\n authenticated users to execute arbitrary SQL commands.\n\nCVE-2009-3633\n\n Cross-site scripting (XSS) vulnerability in allows remote\n attackers to inject arbitrary web script.\n\nCVE-2009-3634\n\n Cross-site scripting (XSS) vulnerability in the Frontend Login Box\n (aka felogin) subcomponent allows remote attackers to inject\n arbitrary web script or HTML.\n\nCVE-2009-3635\n\n The Install Tool subcomponent allows remote attackers to gain access\n by using only the password's md5 hash as a credential.\n\nCVE-2009-3636\n\n Cross-site scripting (XSS) vulnerability in the Install Tool\n subcomponen allows remote attackers to inject arbitrary web script\n or HTML.\n\nFor the old stable distribution (etch), these problems have been fixed\nin version 4.0.2+debian-9.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 4.2.5-1+lenny2.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 4.2.10-1.\n\nWe recommend that you upgrade your typo3-src package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src-4.0_4.0.2+debian-9_all.deb\n Size/MD5 checksum: 7696110 030c0d0fa407a74b5d48a24d280e2ce5\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3_4.0.2+debian-9_all.deb\n Size/MD5 checksum: 77256 ba868af9c67e56ba346233e3473b94c6\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-9.diff.gz\n Size/MD5 checksum: 32793 a0f7dee86225e89e4914633d2401e232\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian.orig.tar.gz\n Size/MD5 checksum: 7683527 be509391b0e4d24278c14100c09dc673\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-9.dsc\n Size/MD5 checksum: 610 522ed0d81b54572f24b984a8448d594b\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.2.5.orig.tar.gz\n Size/MD5 checksum: 8144727 75b2e5db6ac586fb6176f329be452159\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.2.5-1+lenny2.diff.gz\n Size/MD5 checksum: 122866 d4bce174f2ea2a94834cc0d250b51495\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.2.5-1+lenny2.dsc\n Size/MD5 checksum: 1008 8980c630529cf34c44f491e4ee6e6e07\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src-4.2_4.2.5-1+lenny2_all.deb\n Size/MD5 checksum: 8201724 ea85991b8e26953d7ff43080458cc766\n http://security.debian.org/pool/updates/main/t/typo3-src/typo3_4.2.5-1+lenny2_all.deb\n Size/MD5 checksum: 133854 04e43a0b661c56a307a06f282f304e43\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2009-11-04T19:33:31", "published": "2009-11-04T19:33:31", "id": "DEBIAN:DSA-1926-1:5437C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2009/msg00249.html", "title": "[SECURITY] [DSA 1926-1] New TYPO3 packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:11", "bulletinFamily": "unix", "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636", "CVE-2009-3634"], "description": "\nTYPO3 develop team reports:\n\nAffected versions: TYPO3 versions 4.0.13 and below, 4.1.12\n\t and below, 4.2.9 and below, 4.3.0beta1 and below.\nSQL injection, Cross-site scripting (XSS), Information\n\t disclosure, Frame hijacking, Remote shell command execution\n\t and Insecure Install Tool authentication/session handling.\n\n", "edition": 4, "modified": "2009-10-22T00:00:00", "published": "2009-10-22T00:00:00", "id": "6693BAD2-CA50-11DE-8EE8-00215C6A37BB", "href": "https://vuxml.freebsd.org/freebsd/6693bad2-ca50-11de-8ee8-00215c6a37bb.html", "title": "typo3 -- multiple vulnerabilities in TYPO3 Core", "type": "freebsd", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-07T10:44:59", "description": "TYPO3 develop team reports :\n\nAffected versions: TYPO3 versions 4.0.13 and below, 4.1.12 and below,\n4.2.9 and below, 4.3.0beta1 and below.\n\nSQL injection, Cross-site scripting (XSS), Information disclosure,\nFrame hijacking, Remote shell command execution and Insecure Install\nTool authentication/session handling.", "edition": 26, "published": "2009-11-06T00:00:00", "title": "FreeBSD : typo3 -- multiple vulnerabilities in TYPO3 Core (6693bad2-ca50-11de-8ee8-00215c6a37bb)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3635", "CVE-2009-3630", "CVE-2009-3633", "CVE-2009-3629", "CVE-2009-3632", "CVE-2009-3631", "CVE-2009-3628", "CVE-2009-3636", "CVE-2009-3634"], "modified": "2009-11-06T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:typo3"], "id": "FREEBSD_PKG_6693BAD2CA5011DE8EE800215C6A37BB.NASL", "href": "https://www.tenable.com/plugins/nessus/42404", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42404);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-3628\", \"CVE-2009-3629\", \"CVE-2009-3630\", \"CVE-2009-3631\", \"CVE-2009-3632\", \"CVE-2009-3633\", \"CVE-2009-3634\", \"CVE-2009-3635\", \"CVE-2009-3636\");\n script_bugtraq_id(36801);\n script_xref(name:\"Secunia\", value:\"37122\");\n\n script_name(english:\"FreeBSD : typo3 -- multiple vulnerabilities in TYPO3 Core (6693bad2-ca50-11de-8ee8-00215c6a37bb)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"TYPO3 develop team reports :\n\nAffected versions: TYPO3 versions 4.0.13 and below, 4.1.12 and below,\n4.2.9 and below, 4.3.0beta1 and below.\n\nSQL injection, Cross-site scripting (XSS), Information disclosure,\nFrame hijacking, Remote shell command execution and Insecure Install\nTool authentication/session handling.\"\n );\n # http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c37d7168\"\n );\n # https://vuxml.freebsd.org/freebsd/6693bad2-ca50-11de-8ee8-00215c6a37bb.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9d2d794e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79, 89, 94, 200, 287, 352);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:typo3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/10/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"typo3<4.2.10\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-12-09T19:31:22", "description": "The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.", "edition": 5, "cvss3": {}, "published": "2009-11-02T15:30:00", "title": "CVE-2009-3635", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3635"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:typo3:typo3:4.0.10", "cpe:/a:typo3:typo3:4.2.2", "cpe:/a:typo3:typo3:3.8", "cpe:/a:typo3:typo3:1.1.09", "cpe:/a:typo3:typo3:1.0.14", "cpe:/a:typo3:typo3:4.0.12", "cpe:/a:typo3:typo3:4.3", "cpe:/a:typo3:typo3:4.0.5", "cpe:/a:typo3:typo3:4.2.0", "cpe:/a:typo3:typo3:4.2.7", "cpe:/a:typo3:typo3:4.1.4", "cpe:/a:typo3:typo3:4.1.9", "cpe:/a:typo3:typo3:4.2.4", "cpe:/a:typo3:typo3:4.1.7", "cpe:/a:typo3:typo3:1.1.10", "cpe:/a:typo3:typo3:4.2.8", "cpe:/a:typo3:typo3:4.0.7", "cpe:/a:typo3:typo3:4.0.6", "cpe:/a:typo3:typo3:4.1.10", "cpe:/a:typo3:typo3:4.2.1", "cpe:/a:typo3:typo3:4.0.8", "cpe:/a:typo3:typo3:4.2.5", "cpe:/a:typo3:typo3:4.1.8", "cpe:/a:typo3:typo3:4.2.6", "cpe:/a:typo3:typo3:1.3.0", "cpe:/a:typo3:typo3:3.7.0", "cpe:/a:typo3:typo3:4.1.12", "cpe:/a:typo3:typo3:3.6.x", "cpe:/a:typo3:typo3:4.0", "cpe:/a:typo3:typo3:4.1.5", "cpe:/a:typo3:typo3:4.1.11", "cpe:/a:typo3:typo3:3.7.x", "cpe:/a:typo3:typo3:4.1.1", "cpe:/a:typo3:typo3:1.1", "cpe:/a:typo3:typo3:4.2.3", "cpe:/a:typo3:typo3:4.2.9", "cpe:/a:typo3:typo3:1.3.2", "cpe:/a:typo3:typo3:4.0.4", "cpe:/a:typo3:typo3:3.5.x", "cpe:/a:typo3:typo3:4.1.3", "cpe:/a:typo3:typo3:3.7.1", "cpe:/a:typo3:typo3:3.3.x", "cpe:/a:typo3:typo3:4.0.1", "cpe:/a:typo3:typo3:4.0.9", "cpe:/a:typo3:typo3:4.1.6", "cpe:/a:typo3:typo3:4.1.0", "cpe:/a:typo3:typo3:3.5", "cpe:/a:typo3:typo3:4.0.3", "cpe:/a:typo3:typo3:0.1.2", "cpe:/a:typo3:typo3:1.2.0", "cpe:/a:typo3:typo3:1.1.1", "cpe:/a:typo3:typo3:3.8.x", "cpe:/a:typo3:typo3:4.1.2", "cpe:/a:typo3:typo3:4.0.11", "cpe:/a:typo3:typo3:4.0.2", "cpe:/a:typo3:typo3:3.0"], "id": "CVE-2009-3635", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3635", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:typo3:typo3:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.3.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.09:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.6.x:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:31:22", "description": "Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm.", "edition": 5, "cvss3": {}, "published": "2009-11-02T15:30:00", "title": "CVE-2009-3633", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3633"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:typo3:typo3:4.0.10", "cpe:/a:typo3:typo3:4.2.2", "cpe:/a:typo3:typo3:3.8", "cpe:/a:typo3:typo3:1.1.09", "cpe:/a:typo3:typo3:1.0.14", "cpe:/a:typo3:typo3:4.0.12", "cpe:/a:typo3:typo3:4.3", "cpe:/a:typo3:typo3:4.0.5", "cpe:/a:typo3:typo3:4.2.0", "cpe:/a:typo3:typo3:4.2.7", "cpe:/a:typo3:typo3:4.1.4", "cpe:/a:typo3:typo3:4.1.9", "cpe:/a:typo3:typo3:4.2.4", "cpe:/a:typo3:typo3:4.1.7", "cpe:/a:typo3:typo3:1.1.10", "cpe:/a:typo3:typo3:4.2.8", "cpe:/a:typo3:typo3:4.0.7", "cpe:/a:typo3:typo3:4.0.6", "cpe:/a:typo3:typo3:4.1.10", "cpe:/a:typo3:typo3:4.2.1", "cpe:/a:typo3:typo3:4.0.8", "cpe:/a:typo3:typo3:4.2.5", "cpe:/a:typo3:typo3:4.1.8", "cpe:/a:typo3:typo3:4.2.6", "cpe:/a:typo3:typo3:1.3.0", "cpe:/a:typo3:typo3:3.7.0", "cpe:/a:typo3:typo3:4.1.12", "cpe:/a:typo3:typo3:3.6.x", "cpe:/a:typo3:typo3:4.0", "cpe:/a:typo3:typo3:4.1.5", "cpe:/a:typo3:typo3:4.1.11", "cpe:/a:typo3:typo3:3.7.x", "cpe:/a:typo3:typo3:4.1.1", "cpe:/a:typo3:typo3:1.1", "cpe:/a:typo3:typo3:4.2.3", "cpe:/a:typo3:typo3:4.2.9", "cpe:/a:typo3:typo3:1.3.2", "cpe:/a:typo3:typo3:4.0.4", "cpe:/a:typo3:typo3:3.5.x", "cpe:/a:typo3:typo3:4.1.3", "cpe:/a:typo3:typo3:3.7.1", "cpe:/a:typo3:typo3:3.3.x", "cpe:/a:typo3:typo3:4.0.1", "cpe:/a:typo3:typo3:4.0.9", "cpe:/a:typo3:typo3:4.1.6", "cpe:/a:typo3:typo3:4.1.0", "cpe:/a:typo3:typo3:3.5", "cpe:/a:typo3:typo3:4.0.3", "cpe:/a:typo3:typo3:0.1.2", "cpe:/a:typo3:typo3:1.2.0", "cpe:/a:typo3:typo3:1.1.1", "cpe:/a:typo3:typo3:3.8.x", "cpe:/a:typo3:typo3:4.1.2", "cpe:/a:typo3:typo3:4.0.11", "cpe:/a:typo3:typo3:4.0.2", "cpe:/a:typo3:typo3:3.0"], "id": "CVE-2009-3633", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3633", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:typo3:typo3:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.3.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.09:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.6.x:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:31:22", "description": "Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.", "edition": 5, "cvss3": {}, "published": "2009-11-02T15:30:00", "title": "CVE-2009-3629", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3629"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:typo3:typo3:4.0.10", "cpe:/a:typo3:typo3:4.2.2", "cpe:/a:typo3:typo3:4.0.12", "cpe:/a:typo3:typo3:4.3", "cpe:/a:typo3:typo3:4.0.5", "cpe:/a:typo3:typo3:4.2.0", "cpe:/a:typo3:typo3:4.2.7", "cpe:/a:typo3:typo3:4.1.4", "cpe:/a:typo3:typo3:4.1.9", "cpe:/a:typo3:typo3:4.2.4", "cpe:/a:typo3:typo3:4.1.7", "cpe:/a:typo3:typo3:4.2.8", "cpe:/a:typo3:typo3:4.0.7", "cpe:/a:typo3:typo3:4.0.6", "cpe:/a:typo3:typo3:4.1.10", "cpe:/a:typo3:typo3:4.2.1", "cpe:/a:typo3:typo3:4.0.8", "cpe:/a:typo3:typo3:4.2.5", "cpe:/a:typo3:typo3:4.1.8", "cpe:/a:typo3:typo3:4.11", "cpe:/a:typo3:typo3:4.2.6", "cpe:/a:typo3:typo3:4.1.12", "cpe:/a:typo3:typo3:4.10", "cpe:/a:typo3:typo3:4.0", "cpe:/a:typo3:typo3:4.1.5", "cpe:/a:typo3:typo3:4.0.13", "cpe:/a:typo3:typo3:4.1.11", "cpe:/a:typo3:typo3:4.1.1", "cpe:/a:typo3:typo3:4.2.3", "cpe:/a:typo3:typo3:4.2.9", "cpe:/a:typo3:typo3:4.0.4", "cpe:/a:typo3:typo3:4.1.3", "cpe:/a:typo3:typo3:4.1", "cpe:/a:typo3:typo3:4.0.1", "cpe:/a:typo3:typo3:4.0.9", "cpe:/a:typo3:typo3:4.1.6", "cpe:/a:typo3:typo3:4.1.0", "cpe:/a:typo3:typo3:4.0.3", "cpe:/a:typo3:typo3:4.1.2", "cpe:/a:typo3:typo3:4.0.11", "cpe:/a:typo3:typo3:4.0.2"], "id": "CVE-2009-3629", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3629", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:typo3:typo3:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:beta1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1:beta:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.11:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:31:22", "description": "The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to determine an encryption key via crafted input to a tt_content form element.", "edition": 5, "cvss3": {}, "published": "2009-11-02T15:30:00", "title": "CVE-2009-3628", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3628"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:typo3:typo3:4.0.10", "cpe:/a:typo3:typo3:4.2.2", "cpe:/a:typo3:typo3:3.8", "cpe:/a:typo3:typo3:1.1.09", "cpe:/a:typo3:typo3:1.0.14", "cpe:/a:typo3:typo3:4.0.12", "cpe:/a:typo3:typo3:4.3", "cpe:/a:typo3:typo3:4.0.5", "cpe:/a:typo3:typo3:4.2.0", "cpe:/a:typo3:typo3:4.2.7", "cpe:/a:typo3:typo3:4.1.4", "cpe:/a:typo3:typo3:4.1.9", "cpe:/a:typo3:typo3:4.2.4", "cpe:/a:typo3:typo3:4.1.7", "cpe:/a:typo3:typo3:1.1.10", "cpe:/a:typo3:typo3:4.2.8", "cpe:/a:typo3:typo3:4.0.7", "cpe:/a:typo3:typo3:4.0.6", "cpe:/a:typo3:typo3:4.1.10", "cpe:/a:typo3:typo3:4.2.1", "cpe:/a:typo3:typo3:4.0.8", "cpe:/a:typo3:typo3:4.2.5", "cpe:/a:typo3:typo3:4.1.8", "cpe:/a:typo3:typo3:4.2.6", "cpe:/a:typo3:typo3:1.3.0", "cpe:/a:typo3:typo3:3.7.0", "cpe:/a:typo3:typo3:4.1.12", "cpe:/a:typo3:typo3:3.6.x", "cpe:/a:typo3:typo3:4.0", "cpe:/a:typo3:typo3:4.1.5", "cpe:/a:typo3:typo3:4.1.11", "cpe:/a:typo3:typo3:3.7.x", "cpe:/a:typo3:typo3:4.1.1", "cpe:/a:typo3:typo3:1.1", "cpe:/a:typo3:typo3:4.2.3", "cpe:/a:typo3:typo3:4.2.9", "cpe:/a:typo3:typo3:1.3.2", "cpe:/a:typo3:typo3:4.0.4", "cpe:/a:typo3:typo3:3.5.x", "cpe:/a:typo3:typo3:4.1.3", "cpe:/a:typo3:typo3:3.7.1", "cpe:/a:typo3:typo3:3.3.x", "cpe:/a:typo3:typo3:4.0.1", "cpe:/a:typo3:typo3:4.0.9", "cpe:/a:typo3:typo3:4.1.6", "cpe:/a:typo3:typo3:4.1.0", "cpe:/a:typo3:typo3:3.5", "cpe:/a:typo3:typo3:4.0.3", "cpe:/a:typo3:typo3:0.1.2", "cpe:/a:typo3:typo3:1.2.0", "cpe:/a:typo3:typo3:1.1.1", "cpe:/a:typo3:typo3:3.8.x", "cpe:/a:typo3:typo3:4.1.2", "cpe:/a:typo3:typo3:4.0.11", "cpe:/a:typo3:typo3:4.0.2", "cpe:/a:typo3:typo3:3.0"], "id": "CVE-2009-3628", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3628", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:typo3:typo3:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.3.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.09:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.6.x:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:54:18", "description": "Cross-site scripting (XSS) vulnerability in the Frontend Login Box (aka felogin) subcomponent in TYPO3 4.2.0 through 4.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.", "edition": 3, "cvss3": {}, "published": "2009-11-02T15:30:00", "title": "CVE-2009-3634", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3634"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:typo3:typo3:4.2.2", "cpe:/a:typo3:typo3:4.2.0", "cpe:/a:typo3:typo3:4.2.4", "cpe:/a:typo3:typo3:4.2.1", "cpe:/a:typo3:typo3:4.2.5", "cpe:/a:typo3:typo3:4.2.6"], "id": "CVE-2009-3634", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3634", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:31:22", "description": "The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, related to a \"frame hijacking\" issue.", "edition": 5, "cvss3": {}, "published": "2009-11-02T15:30:00", "title": "CVE-2009-3630", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3630"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:typo3:typo3:4.0.10", "cpe:/a:typo3:typo3:4.2.2", "cpe:/a:typo3:typo3:3.8", "cpe:/a:typo3:typo3:1.1.09", "cpe:/a:typo3:typo3:1.0.14", "cpe:/a:typo3:typo3:4.0.12", "cpe:/a:typo3:typo3:4.3", "cpe:/a:typo3:typo3:4.0.5", "cpe:/a:typo3:typo3:4.2.0", "cpe:/a:typo3:typo3:4.2.7", "cpe:/a:typo3:typo3:4.1.4", "cpe:/a:typo3:typo3:4.1.9", "cpe:/a:typo3:typo3:4.2.4", "cpe:/a:typo3:typo3:4.1.7", "cpe:/a:typo3:typo3:1.1.10", "cpe:/a:typo3:typo3:4.2.8", "cpe:/a:typo3:typo3:4.0.7", "cpe:/a:typo3:typo3:4.0.6", "cpe:/a:typo3:typo3:4.1.10", "cpe:/a:typo3:typo3:4.2.1", "cpe:/a:typo3:typo3:4.0.8", "cpe:/a:typo3:typo3:4.2.5", "cpe:/a:typo3:typo3:4.1.8", "cpe:/a:typo3:typo3:4.2.6", "cpe:/a:typo3:typo3:1.3.0", "cpe:/a:typo3:typo3:3.7.0", "cpe:/a:typo3:typo3:4.1.12", "cpe:/a:typo3:typo3:3.6.x", "cpe:/a:typo3:typo3:4.0", "cpe:/a:typo3:typo3:4.1.5", "cpe:/a:typo3:typo3:4.1.11", "cpe:/a:typo3:typo3:3.7.x", "cpe:/a:typo3:typo3:4.1.1", "cpe:/a:typo3:typo3:1.1", "cpe:/a:typo3:typo3:4.2.3", "cpe:/a:typo3:typo3:4.2.9", "cpe:/a:typo3:typo3:1.3.2", "cpe:/a:typo3:typo3:4.0.4", "cpe:/a:typo3:typo3:3.5.x", "cpe:/a:typo3:typo3:4.1.3", "cpe:/a:typo3:typo3:3.7.1", "cpe:/a:typo3:typo3:3.3.x", "cpe:/a:typo3:typo3:4.0.1", "cpe:/a:typo3:typo3:4.0.9", "cpe:/a:typo3:typo3:4.1.6", "cpe:/a:typo3:typo3:4.1.0", "cpe:/a:typo3:typo3:3.5", "cpe:/a:typo3:typo3:4.0.3", "cpe:/a:typo3:typo3:0.1.2", "cpe:/a:typo3:typo3:1.2.0", "cpe:/a:typo3:typo3:1.1.1", "cpe:/a:typo3:typo3:3.8.x", "cpe:/a:typo3:typo3:4.1.2", "cpe:/a:typo3:typo3:4.0.11", "cpe:/a:typo3:typo3:4.0.2", "cpe:/a:typo3:typo3:3.0"], "id": "CVE-2009-3630", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3630", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:typo3:typo3:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.3.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.09:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.6.x:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:31:22", "description": "SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to execute arbitrary SQL commands via unspecified parameters.", "edition": 5, "cvss3": {}, "published": "2009-11-02T15:30:00", "title": "CVE-2009-3632", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3632"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:typo3:typo3:4.0.10", "cpe:/a:typo3:typo3:4.2.2", "cpe:/a:typo3:typo3:4.0.12", "cpe:/a:typo3:typo3:4.3", "cpe:/a:typo3:typo3:4.0.5", "cpe:/a:typo3:typo3:4.2.0", "cpe:/a:typo3:typo3:4.2.7", "cpe:/a:typo3:typo3:4.1.4", "cpe:/a:typo3:typo3:4.1.9", "cpe:/a:typo3:typo3:4.2.4", "cpe:/a:typo3:typo3:4.1.7", "cpe:/a:typo3:typo3:4.2.8", "cpe:/a:typo3:typo3:4.0.7", "cpe:/a:typo3:typo3:4.0.6", "cpe:/a:typo3:typo3:4.1.10", "cpe:/a:typo3:typo3:4.2.1", "cpe:/a:typo3:typo3:4.0.8", "cpe:/a:typo3:typo3:4.2.5", "cpe:/a:typo3:typo3:4.1.8", "cpe:/a:typo3:typo3:4.11", "cpe:/a:typo3:typo3:4.2.6", "cpe:/a:typo3:typo3:4.1.12", "cpe:/a:typo3:typo3:4.10", "cpe:/a:typo3:typo3:4.0", "cpe:/a:typo3:typo3:4.1.5", "cpe:/a:typo3:typo3:4.0.13", "cpe:/a:typo3:typo3:4.1.11", "cpe:/a:typo3:typo3:4.1.1", "cpe:/a:typo3:typo3:4.2.3", "cpe:/a:typo3:typo3:4.2.9", "cpe:/a:typo3:typo3:4.0.4", "cpe:/a:typo3:typo3:4.1.3", "cpe:/a:typo3:typo3:4.1", "cpe:/a:typo3:typo3:4.0.1", "cpe:/a:typo3:typo3:4.0.9", "cpe:/a:typo3:typo3:4.1.6", "cpe:/a:typo3:typo3:4.1.0", "cpe:/a:typo3:typo3:4.0.3", "cpe:/a:typo3:typo3:4.1.2", "cpe:/a:typo3:typo3:4.0.11", "cpe:/a:typo3:typo3:4.0.2"], "id": "CVE-2009-3632", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3632", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:typo3:typo3:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:beta1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1:beta:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.11:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:31:22", "description": "The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.", "edition": 5, "cvss3": {}, "published": "2009-11-02T15:30:00", "title": "CVE-2009-3631", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3631"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:typo3:typo3:4.0.10", "cpe:/a:typo3:typo3:4.2.2", "cpe:/a:typo3:typo3:3.8", "cpe:/a:typo3:typo3:1.1.09", "cpe:/a:typo3:typo3:1.0.14", "cpe:/a:typo3:typo3:4.0.12", "cpe:/a:typo3:typo3:4.3", "cpe:/a:typo3:typo3:4.0.5", "cpe:/a:typo3:typo3:4.2.0", "cpe:/a:typo3:typo3:4.2.7", "cpe:/a:typo3:typo3:4.1.4", "cpe:/a:typo3:typo3:4.1.9", "cpe:/a:typo3:typo3:4.2.4", "cpe:/a:typo3:typo3:4.1.7", "cpe:/a:typo3:typo3:1.1.10", "cpe:/a:typo3:typo3:4.2.8", "cpe:/a:typo3:typo3:4.0.7", "cpe:/a:typo3:typo3:4.0.6", "cpe:/a:typo3:typo3:4.1.10", "cpe:/a:typo3:typo3:4.2.1", "cpe:/a:typo3:typo3:4.0.8", "cpe:/a:typo3:typo3:4.2.5", "cpe:/a:typo3:typo3:4.1.8", "cpe:/a:typo3:typo3:4.2.6", "cpe:/a:typo3:typo3:1.3.0", "cpe:/a:typo3:typo3:3.7.0", "cpe:/a:typo3:typo3:4.1.12", "cpe:/a:typo3:typo3:3.6.x", "cpe:/a:typo3:typo3:4.0", "cpe:/a:typo3:typo3:4.1.5", "cpe:/a:typo3:typo3:4.1.11", "cpe:/a:typo3:typo3:3.7.x", "cpe:/a:typo3:typo3:4.1.1", "cpe:/a:typo3:typo3:1.1", "cpe:/a:typo3:typo3:4.2.3", "cpe:/a:typo3:typo3:4.2.9", "cpe:/a:typo3:typo3:1.3.2", "cpe:/a:typo3:typo3:4.0.4", "cpe:/a:typo3:typo3:3.5.x", "cpe:/a:typo3:typo3:4.1.3", "cpe:/a:typo3:typo3:3.7.1", "cpe:/a:typo3:typo3:3.3.x", "cpe:/a:typo3:typo3:4.0.1", "cpe:/a:typo3:typo3:4.0.9", "cpe:/a:typo3:typo3:4.1.6", "cpe:/a:typo3:typo3:4.1.0", "cpe:/a:typo3:typo3:3.5", "cpe:/a:typo3:typo3:4.0.3", "cpe:/a:typo3:typo3:0.1.2", "cpe:/a:typo3:typo3:1.2.0", "cpe:/a:typo3:typo3:1.1.1", "cpe:/a:typo3:typo3:3.8.x", "cpe:/a:typo3:typo3:4.1.2", "cpe:/a:typo3:typo3:4.0.11", "cpe:/a:typo3:typo3:4.0.2", "cpe:/a:typo3:typo3:3.0"], "id": "CVE-2009-3631", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3631", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:typo3:typo3:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.3.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.09:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.6.x:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:31:22", "description": "Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.", "edition": 5, "cvss3": {}, "published": "2009-11-02T15:30:00", "title": "CVE-2009-3636", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3636"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:typo3:typo3:4.0.10", "cpe:/a:typo3:typo3:4.2.2", "cpe:/a:typo3:typo3:3.8", "cpe:/a:typo3:typo3:1.1.09", "cpe:/a:typo3:typo3:1.0.14", "cpe:/a:typo3:typo3:4.0.12", "cpe:/a:typo3:typo3:4.3", "cpe:/a:typo3:typo3:4.0.5", "cpe:/a:typo3:typo3:4.2.0", "cpe:/a:typo3:typo3:4.2.7", "cpe:/a:typo3:typo3:4.1.4", "cpe:/a:typo3:typo3:4.1.9", "cpe:/a:typo3:typo3:4.2.4", "cpe:/a:typo3:typo3:4.1.7", "cpe:/a:typo3:typo3:1.1.10", "cpe:/a:typo3:typo3:4.2.8", "cpe:/a:typo3:typo3:4.0.7", "cpe:/a:typo3:typo3:4.0.6", "cpe:/a:typo3:typo3:4.1.10", "cpe:/a:typo3:typo3:4.2.1", "cpe:/a:typo3:typo3:4.0.8", "cpe:/a:typo3:typo3:4.2.5", "cpe:/a:typo3:typo3:4.1.8", "cpe:/a:typo3:typo3:4.2.6", "cpe:/a:typo3:typo3:1.3.0", "cpe:/a:typo3:typo3:3.7.0", "cpe:/a:typo3:typo3:4.1.12", "cpe:/a:typo3:typo3:3.6.x", "cpe:/a:typo3:typo3:4.0", "cpe:/a:typo3:typo3:4.1.5", "cpe:/a:typo3:typo3:4.1.11", "cpe:/a:typo3:typo3:3.7.x", "cpe:/a:typo3:typo3:4.1.1", "cpe:/a:typo3:typo3:1.1", "cpe:/a:typo3:typo3:4.2.3", "cpe:/a:typo3:typo3:4.2.9", "cpe:/a:typo3:typo3:1.3.2", "cpe:/a:typo3:typo3:4.0.4", "cpe:/a:typo3:typo3:3.5.x", "cpe:/a:typo3:typo3:4.1.3", "cpe:/a:typo3:typo3:3.7.1", "cpe:/a:typo3:typo3:3.3.x", "cpe:/a:typo3:typo3:4.0.1", "cpe:/a:typo3:typo3:4.0.9", "cpe:/a:typo3:typo3:4.1.6", "cpe:/a:typo3:typo3:4.1.0", "cpe:/a:typo3:typo3:3.5", "cpe:/a:typo3:typo3:4.0.3", "cpe:/a:typo3:typo3:0.1.2", "cpe:/a:typo3:typo3:1.2.0", "cpe:/a:typo3:typo3:1.1.1", "cpe:/a:typo3:typo3:3.8.x", "cpe:/a:typo3:typo3:4.1.2", "cpe:/a:typo3:typo3:4.0.11", "cpe:/a:typo3:typo3:4.0.2", "cpe:/a:typo3:typo3:3.0"], "id": "CVE-2009-3636", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3636", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:typo3:typo3:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.3.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.5.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1.09:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.8.x:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:4.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:3.6.x:*:*:*:*:*:*:*"]}]}