Chris John Riley discovered that the TYPO3-wide used encryption key is
generated with an insufficiently random seed resulting in low entropy
which makes it easier for attackers to crack this key. (CVE-2009-0255)
Marcus Krause discovered that TYPO3 is not invalidating a supplied session
on authentication which allows an attacker to take over a victims
session via a session fixation attack. (CVE-2009-0256)
Multiple cross-site scripting vulnerabilities allow remote attackers to
inject arbitrary web script or HTML via various arguments and user-
supplied strings used in the indexed search system extension, adodb
extension test scripts or the workspace module. (CVE-2009-0257)
Mads Olesen discovered a remote command injection vulnerability in
the indexed search system extension which allows attackers to
execute arbitrary code via a crafted file name which is passed
unescaped to various system tools that extract file content for
the indexing. (CVE-2009-0258)
