Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.51.0901221711460.27455@faron.mitre.org>
Date: Thu, 22 Jan 2009 17:11:52 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: coley@...re.org
Subject: Re: CVE id request: typo3 SA-2009-001


======================================================
Name: CVE-2009-0255
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0255
Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/
Reference: BID:33376
Reference: URL:http://www.securityfocus.com/bid/33376
Reference: SECUNIA:33617
Reference: URL:http://secunia.com/advisories/33617
Reference: XF:typo3-installtool-weak-security(48132)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48132

The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0
through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with
an insufficiently random seed, which makes it easier for attackers to
crack the key.


======================================================
Name: CVE-2009-0256
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0256
Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/
Reference: BID:33376
Reference: URL:http://www.securityfocus.com/bid/33376
Reference: SECUNIA:33617
Reference: URL:http://secunia.com/advisories/33617
Reference: XF:typo3-library-session-hijacking(48133)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48133

Session fixation vulnerability in the authentication library in TYPO3
4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3
allows remote attackers to hijack web sessions via unspecified vectors
related to (1) frontend and (2) backend authentication.


======================================================
Name: CVE-2009-0257
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0257
Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/
Reference: BID:33376
Reference: URL:http://www.securityfocus.com/bid/33376
Reference: SECUNIA:33617
Reference: URL:http://secunia.com/advisories/33617
Reference: XF:typo3-adodb-xss(48137)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48137
Reference: XF:typo3-indexedsearchengine-xss(48135)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48135
Reference: XF:typo3-library-session-hijacking(48133)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48133

Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.0.0
through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allow
remote attackers to inject arbitrary web script or HTML via the (1)
name and (2) content of indexed files to the (a) Indexed Search Engine
(indexed_search) system extension; (b) unspecified test scripts in the
ADOdb system extension; and (c) unspecified vectors in the Workspace
module.


======================================================
Name: CVE-2009-0258
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0258
Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/
Reference: BID:33376
Reference: URL:http://www.securityfocus.com/bid/33376
Reference: SECUNIA:33617
Reference: URL:http://secunia.com/advisories/33617
Reference: XF:typo3-indexedsearch-command-execution(48138)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48138

Unspecified vulnerability in the Indexed Search Engine
(indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0
through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to
execute arbitrary commands via unknown vectors related to the
command-line indexer.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.