TYPO3 Core TYPO3-SA-2010-012 Multiple Remote Security Vulnerabilities

TYPO3 is prone to multiple remote vulnerabilities, including:

Cross site scripting vulnerabilities
Authentication-bypass vulnerabilities
Information-disclosure vulnerabilities
SQL-injection vulnerabilities
HTML-injection vulnerabilities
A session-fixation vulnerability
An open-email-relay vulnerability
Random-number generation issues

An attacker can exploit these issues to execute arbitrary script code, steal cookie-based authentication credentials, obtain sensitive information, gain unauthorized access to the affected application, bypass certain security restrictions, compromise the affected application, exploit latent vulnerabilities in the underlying database, and send unsolicited emails. Other attacks are also possible.

The follow versions are affected

TYPO3 4.1 (4.1.13 and prior)
TYPO3 4.2 (4.2.12 and prior)
TYPO3 4.3 (4.3.3 and prior)
TYPO3 4.4 (4.4 and prior)


Bugtraq ID: 42029
Class: Unknown
CVE: CVE-2010-3659

Remote: Yes
Local: No
Published: Jul 28 2010 12:00AM
Updated: Oct 24 2017 01:04PM
Credit: Jelmer de Hen, Nikolas Hagelstein, Daniel Sloof, Tobias Liebig, Georg Ringer, Dmitry Dulepov and Helmut Hummel, Maxime Verroye, Marc Bastian Heinrichs, Steffen Kamper, Ernesto Baschny, Tim Lochmüller, Sascha Kettler, Lars Houmark, Franz G.
Vulnerable: Typo3 Typo3 4.4
Typo3 Typo3 4.3.3
Typo3 Typo3 4.3.2
Typo3 Typo3 4.3.1
Typo3 Typo3 4.3
Typo3 Typo3 4.2.12
Typo3 Typo3 4.2.11
Typo3 Typo3 4.2.10
Typo3 Typo3 4.2.9
Typo3 Typo3 4.2.6
Typo3 Typo3 4.2.4
Typo3 Typo3 4.2.3
Typo3 Typo3 4.2.2
Typo3 Typo3 4.2.1
Typo3 Typo3 4.2
Typo3 Typo3 4.1.13
Typo3 Typo3 4.1.12
Typo3 Typo3 4.1.10
Typo3 Typo3 4.1.8
Typo3 Typo3 4.1.7
Typo3 Typo3 4.1.6
Typo3 Typo3 4.1.4
Typo3 Typo3 4.1
Typo3 Typo3 4.3.0beta1
Typo3 Typo3 4.1beta
Typo3 Typo3 4.1 RC1
Debian Linux 5.0 sparc
Debian Linux 5.0 s/390
Debian Linux 5.0 powerpc
Debian Linux 5.0 mipsel
Debian Linux 5.0 mips
Debian Linux 5.0 m68k
Debian Linux 5.0 ia-64
Debian Linux 5.0 ia-32
Debian Linux 5.0 hppa
Debian Linux 5.0 armel
Debian Linux 5.0 arm
Debian Linux 5.0 amd64
Debian Linux 5.0 alpha
Debian Linux 5.0

Not Vulnerable: Typo3 Typo3 4.4.1
Typo3 Typo3 4.1.14
Typo3 Typo3 4.3.4
Typo3 Typo3 4.2.13


Attackers can use a browser to exploit these issues. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting victim to follow a malicious URI.

Related Posts