[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Thu, 22 Jan 2009 17:11:52 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: coley@...re.org
Subject: Re: CVE id request: typo3 SA-2009-001
======================================================
Name: CVE-2009-0255
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0255
Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/
Reference: BID:33376
Reference: URL:http://www.securityfocus.com/bid/33376
Reference: SECUNIA:33617
Reference: URL:http://secunia.com/advisories/33617
Reference: XF:typo3-installtool-weak-security(48132)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48132
The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0
through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with
an insufficiently random seed, which makes it easier for attackers to
crack the key.
======================================================
Name: CVE-2009-0256
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0256
Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/
Reference: BID:33376
Reference: URL:http://www.securityfocus.com/bid/33376
Reference: SECUNIA:33617
Reference: URL:http://secunia.com/advisories/33617
Reference: XF:typo3-library-session-hijacking(48133)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48133
Session fixation vulnerability in the authentication library in TYPO3
4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3
allows remote attackers to hijack web sessions via unspecified vectors
related to (1) frontend and (2) backend authentication.
======================================================
Name: CVE-2009-0257
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0257
Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/
Reference: BID:33376
Reference: URL:http://www.securityfocus.com/bid/33376
Reference: SECUNIA:33617
Reference: URL:http://secunia.com/advisories/33617
Reference: XF:typo3-adodb-xss(48137)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48137
Reference: XF:typo3-indexedsearchengine-xss(48135)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48135
Reference: XF:typo3-library-session-hijacking(48133)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48133
Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.0.0
through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allow
remote attackers to inject arbitrary web script or HTML via the (1)
name and (2) content of indexed files to the (a) Indexed Search Engine
(indexed_search) system extension; (b) unspecified test scripts in the
ADOdb system extension; and (c) unspecified vectors in the Workspace
module.
======================================================
Name: CVE-2009-0258
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0258
Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/
Reference: BID:33376
Reference: URL:http://www.securityfocus.com/bid/33376
Reference: SECUNIA:33617
Reference: URL:http://secunia.com/advisories/33617
Reference: XF:typo3-indexedsearch-command-execution(48138)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48138
Unspecified vulnerability in the Indexed Search Engine
(indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0
through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to
execute arbitrary commands via unknown vectors related to the
command-line indexer.
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux