|
Message-ID: <Pine.GSO.4.51.0901221711460.27455@faron.mitre.org> Date: Thu, 22 Jan 2009 17:11:52 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com cc: coley@...re.org Subject: Re: CVE id request: typo3 SA-2009-001 ====================================================== Name: CVE-2009-0255 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0255 Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ Reference: BID:33376 Reference: URL:http://www.securityfocus.com/bid/33376 Reference: SECUNIA:33617 Reference: URL:http://secunia.com/advisories/33617 Reference: XF:typo3-installtool-weak-security(48132) Reference: URL:http://xforce.iss.net/xforce/xfdb/48132 The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key. ====================================================== Name: CVE-2009-0256 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0256 Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ Reference: BID:33376 Reference: URL:http://www.securityfocus.com/bid/33376 Reference: SECUNIA:33617 Reference: URL:http://secunia.com/advisories/33617 Reference: XF:typo3-library-session-hijacking(48133) Reference: URL:http://xforce.iss.net/xforce/xfdb/48133 Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication. ====================================================== Name: CVE-2009-0257 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0257 Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ Reference: BID:33376 Reference: URL:http://www.securityfocus.com/bid/33376 Reference: SECUNIA:33617 Reference: URL:http://secunia.com/advisories/33617 Reference: XF:typo3-adodb-xss(48137) Reference: URL:http://xforce.iss.net/xforce/xfdb/48137 Reference: XF:typo3-indexedsearchengine-xss(48135) Reference: URL:http://xforce.iss.net/xforce/xfdb/48135 Reference: XF:typo3-library-session-hijacking(48133) Reference: URL:http://xforce.iss.net/xforce/xfdb/48133 Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) content of indexed files to the (a) Indexed Search Engine (indexed_search) system extension; (b) unspecified test scripts in the ADOdb system extension; and (c) unspecified vectors in the Workspace module. ====================================================== Name: CVE-2009-0258 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0258 Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ Reference: BID:33376 Reference: URL:http://www.securityfocus.com/bid/33376 Reference: SECUNIA:33617 Reference: URL:http://secunia.com/advisories/33617 Reference: XF:typo3-indexedsearch-command-execution(48138) Reference: URL:http://xforce.iss.net/xforce/xfdb/48138 Unspecified vulnerability in the Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via unknown vectors related to the command-line indexer.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.