CVE-2009-0255

HIGH

TYPO3 <4.2.3 - Info Disclosure

Title source: llm

Description

The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key.

Exploits (1)

metasploit WORKING POC

by Chris John Riley · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/typo3_sa_2009_001.rb

View Code ZIP pw:eip

References (6)

[Broken Link, Vendor Advisory] http://secunia.com/advisories/33617

[Broken Link, Vendor Advisory] http://secunia.com/advisories/33679

[Vendor Advisory] http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/

[Mailing List] http://www.debian.org/security/2009/dsa-1711

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/33376

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/48132

Scores

CVSS v3 7.5

EPSS 0.0511

EPSS Percentile 89.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-330

Status published

Products (2)

debian/debian_linux 4.0

typo3/typo3 4.0 - 4.0.10

Published Jan 22, 2009

Tracked Since Feb 18, 2026