Critical

CVE-2009-0258 - Input Validation vulnerability in Typo3

Publication: 2009-01-22
Summary

The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.

Classification
CWE-20: Input Validation

Risk level (CVSS 10)

Critical

10.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

  • Typo3 Typo3 4.0
  • Typo3 Typo3 4.0.1
  • Typo3 Typo3 4.0.2
  • Typo3 Typo3 4.0.3
  • Typo3 Typo3 4.0.4
  • Typo3 Typo3 4.0.5
  • Typo3 Typo3 4.0.6
  • Typo3 Typo3 4.0.7
  • Typo3 Typo3 4.0.8
  • Typo3 Typo3 4.0.9
  • Typo3 Typo3 4.1.0
  • Typo3 Typo3 4.1.0
  • Typo3 Typo3 4.1.0
  • Typo3 Typo3 4.1.1
  • Typo3 Typo3 4.1.2
  • Typo3 Typo3 4.1.3
  • Typo3 Typo3 4.1.4
  • Typo3 Typo3 4.1.5
  • Typo3 Typo3 4.1.6
  • Typo3 Typo3 4.1.7
  • Typo3 Typo3 4.2.0
  • Typo3 Typo3 4.2.1
  • Typo3 Typo3 4.2.2
  • Typo3 Typo3 4.2.3