CVE-2009-0256 - OpenCVE

Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Typo3	Typo3

Configuration 1 [-]

OR	cpe:2.3:a:typo3:typo3:4.0:::::::*
	cpe:2.3:a:typo3:typo3:4.0.1:::::::*
	cpe:2.3:a:typo3:typo3:4.0.2:::::::*
	cpe:2.3:a:typo3:typo3:4.0.3:::::::*
	cpe:2.3:a:typo3:typo3:4.0.4:::::::*
	cpe:2.3:a:typo3:typo3:4.0.5:::::::*
	cpe:2.3:a:typo3:typo3:4.0.6:::::::*
	cpe:2.3:a:typo3:typo3:4.0.7:::::::*
	cpe:2.3:a:typo3:typo3:4.0.8:::::::*
	cpe:2.3:a:typo3:typo3:4.0.9:::::::*
	cpe:2.3:a:typo3:typo3:4.1.0:::::::*
	cpe:2.3:a:typo3:typo3:4.1.0:beta1::::::
	cpe:2.3:a:typo3:typo3:4.1.0:rc1::::::
	cpe:2.3:a:typo3:typo3:4.1.1:::::::*
	cpe:2.3:a:typo3:typo3:4.1.2:::::::*
	cpe:2.3:a:typo3:typo3:4.1.3:::::::*
	cpe:2.3:a:typo3:typo3:4.1.4:::::::*
	cpe:2.3:a:typo3:typo3:4.1.5:::::::*
	cpe:2.3:a:typo3:typo3:4.1.6:::::::*
	cpe:2.3:a:typo3:typo3:4.1.7:::::::*
	cpe:2.3:a:typo3:typo3:4.2.0:::::::*
	cpe:2.3:a:typo3:typo3:4.2.1:::::::*
	cpe:2.3:a:typo3:typo3:4.2.2:::::::*
	cpe:2.3:a:typo3:typo3:4.2.3:::::::*

References

Link	Resource
http://secunia.com/advisories/33617	Vendor Advisory
http://secunia.com/advisories/33679
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/	Vendor Advisory
http://www.debian.org/security/2009/dsa-1711
http://www.securityfocus.com/bid/33376
https://exchange.xforce.ibmcloud.com/vulnerabilities/48133

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2009-01-22T23:00:00

Updated: 2017-08-07T12:57:01

Reserved: 2009-01-22T00:00:00

Link: CVE-2009-0256

JSON object: View

NVD Information

Status : Modified

Published: 2009-01-22T23:30:04.437

Modified: 2017-08-08T01:33:51.593

Link: CVE-2009-0256

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-01-21T00:00:00", "descriptions": [{"lang": "en", "value": "Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/"}, {"name": "33617", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33617"}, {"name": "DSA-1711", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2009/dsa-1711"}, {"name": "33376", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/33376"}, {"name": "typo3-library-session-hijacking(48133)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48133"}, {"name": "33679", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33679"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-0256", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/", "refsource": "CONFIRM", "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/"}, {"name": "33617", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33617"}, {"name": "DSA-1711", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2009/dsa-1711"}, {"name": "33376", "refsource": "BID", "url": "http://www.securityfocus.com/bid/33376"}, {"name": "typo3-library-session-hijacking(48133)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48133"}, {"name": "33679", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33679"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-0256", "datePublished": "2009-01-22T23:00:00", "dateReserved": "2009-01-22T00:00:00", "dateUpdated": "2017-08-07T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "25EAE65C-1E17-48CD-B48C-E0BC09FB6596", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "501A9157-044A-4856-8092-418D7329EED3", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "4EA47174-9BC4-4B74-8618-6A7B0773553B", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "5A13146E-EC04-4354-9123-BC7CB292C66A", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "8F27B173-8D10-47F7-8450-F8808A918295", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "0D1FAD0A-6B98-476B-BCD2-361996CA1C36", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "AE992D57-AF82-4BF0-96E8-98110C0AEBF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "7A9A484F-C34D-4885-8125-D9C8725EEB4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "DCCB2DE6-4407-4E40-8574-9C813183565B", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "E19647A4-C422-42D0-863B-5B6E0B08BFAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "AC2F89D7-D34C-4ADD-8A9E-34C37122C3C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "273F2E33-0655-46DE-9397-E16658B4BD8C", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "3B8F7039-4117-4D53-ABE8-99C10518D351", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "161E310F-F2D8-40B3-8390-8C52ACDD0B72", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "F6B33D32-4D59-4768-A2C6-9DC7CD30F5E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "4679B5DF-25FA-40E9-A322-DF1FF1BC7E7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "96D69530-AE74-4012-B522-01D0B6B01662", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "5514D17F-95A5-48C5-9F91-554F8D3C3DF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "E46E35EC-FF7B-4510-A5F2-FC230B7477B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "5A671ED2-91AA-4447-8996-A8A16FE753A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "D93919E9-B3E8-483E-A701-D87570127207", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "F6B1326B-CB9E-4B40-85BD-05AF52E6A1D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "FDDEAF6A-8A99-4872-98CC-12BD54515B07", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "8D8185B9-D244-43B3-9DF1-FF137A2108DD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication."}, {"lang": "es", "value": "Vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en la librer\u00eda de autenticaci\u00f3n en TYPO3 v4.0.0 a v4.0.9, v4.1.0 a v4.1.7 y v4.2.0 a v4.2.3, permite a atacantes remotos secuestrar sesiones web mediante vectores no especificados, en relaci\u00f3n con (1) el interfaz externo y (2) la autenticaci\u00f3n del interfaz interno."}], "id": "CVE-2009-0256", "lastModified": "2017-08-08T01:33:51.593", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-01-22T23:30:04.437", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/33617"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/33679"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2009/dsa-1711"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/33376"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48133"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}