CVE-2009-4159

TYPO3 direct_mail <2.6.4 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the newsletter configuration feature in the backend module in the Direct Mail (direct_mail) extension 2.6.4 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

References (4)

[Vendor Advisory] http://secunia.com/advisories/37552

[Patch] http://typo3.org/extensions/repository/view/direct_mail/2.6.5/

[Patch, Vendor Advisory] http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-018/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/37166

Scores

EPSS 0.0020

EPSS Percentile 42.0%

Classification

CWE

CWE-79

Status published

Affected Products (14)

ivan_kartolo/direct_mail < 2.6.4

ivan_kartolo/direct_mail

ivan_kartolo/direct_mail

ivan_kartolo/direct_mail

ivan_kartolo/direct_mail

ivan_kartolo/direct_mail

ivan_kartolo/direct_mail

ivan_kartolo/direct_mail

ivan_kartolo/direct_mail

ivan_kartolo/direct_mail

ivan_kartolo/direct_mail

ivan_kartolo/direct_mail

directmailteam/direct-mail < 2.6.5Packagist

n/a/n/a

Timeline

Published Dec 02, 2009

Tracked Since Feb 18, 2026