| From the Debian alert:
Several remote vulnerabilities have been discovered in the TYPO3 web
content management framework. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2009-3628:
The Backend subcomponent allows remote authenticated users to
determine an encryption key via crafted input to a form field.
CVE-2009-3629:
Multiple cross-site scripting (XSS) vulnerabilities in the
Backend subcomponent allow remote authenticated users to inject
arbitrary web script or HTML.
CVE-2009-3630:
The Backend subcomponent allows remote authenticated users to
place arbitrary web sites in TYPO3 backend framesets via
crafted parameters.
CVE-2009-3631:
The Backend subcomponent, when the DAM extension or ftp upload
is enabled, allows remote authenticated users to execute
arbitrary commands via shell metacharacters in a filename.
CVE-2009-3632:
SQL injection vulnerability in the traditional frontend editing
feature in the Frontend Editing subcomponent allows remote
authenticated users to execute arbitrary SQL commands.
CVE-2009-3633:
Cross-site scripting (XSS) vulnerability in allows remote
attackers to inject arbitrary web script.
CVE-2009-3634:
Cross-site scripting (XSS) vulnerability in the Frontend Login Box
(aka felogin) subcomponent allows remote attackers to inject
arbitrary web script or HTML.
CVE-2009-3635:
The Install Tool subcomponent allows remote attackers to gain access
by using only the password's md5 hash as a credential.
CVE-2009-3636:
Cross-site scripting (XSS) vulnerability in the Install Tool
subcomponen allows remote attackers to inject arbitrary web script
or HTML. | 