CVE-2009-3633: CSRF
First published: Mon Nov 02 2009(Updated: )
Cross-site scripting (XSS) vulnerability in the `t3lib_div::quoteJSvalue` API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/typo3/cms-core | >=4.3alpha1<4.3beta2 | 4.3beta2 |
| composer/typo3/cms-core | >=4.2.0<4.2.10 | 4.2.10 |
| composer/typo3/cms-core | >=4.1.0<4.1.13 | 4.1.13 |
| composer/typo3/cms-core | <=4.0.13 | |
| TYPO3 | <=4.0.12 | |
| TYPO3 | =0.1.2 | |
| TYPO3 | =1.0.14 | |
| TYPO3 | =1.1 | |
| TYPO3 | =1.1.1 | |
| TYPO3 | =1.1.09 | |
| TYPO3 | =1.1.10 | |
| TYPO3 | =1.2.0 | |
| TYPO3 | =1.3.0 | |
| TYPO3 | =1.3.2 | |
| TYPO3 | =3.0 | |
| TYPO3 | =3.3.x | |
| TYPO3 | =3.5 | |
| TYPO3 | =3.5.x | |
| TYPO3 | =3.6.x | |
| TYPO3 | =3.7.0 | |
| TYPO3 | =3.7.1 | |
| TYPO3 | =3.7.x | |
| TYPO3 | =3.8 | |
| TYPO3 | =3.8.x | |
| TYPO3 | =4.0 | |
| TYPO3 | =4.0.1 | |
| TYPO3 | =4.0.2 | |
| TYPO3 | =4.0.3 | |
| TYPO3 | =4.0.4 | |
| TYPO3 | =4.0.5 | |
| TYPO3 | =4.0.6 | |
| TYPO3 | =4.0.7 | |
| TYPO3 | =4.0.8 | |
| TYPO3 | =4.0.9 | |
| TYPO3 | =4.0.10 | |
| TYPO3 | =4.0.11 | |
| TYPO3 | =4.1.0 | |
| TYPO3 | =4.1.0-beta1 | |
| TYPO3 | =4.1.0-rc1 | |
| TYPO3 | =4.1.1 | |
| TYPO3 | =4.1.2 | |
| TYPO3 | =4.1.3 | |
| TYPO3 | =4.1.4 | |
| TYPO3 | =4.1.5 | |
| TYPO3 | =4.1.6 | |
| TYPO3 | =4.1.7 | |
| TYPO3 | =4.1.8 | |
| TYPO3 | =4.1.9 | |
| TYPO3 | =4.1.10 | |
| TYPO3 | =4.1.11 | |
| TYPO3 | =4.1.12 | |
| TYPO3 | =4.2.0 | |
| TYPO3 | =4.2.1 | |
| TYPO3 | =4.2.2 | |
| TYPO3 | =4.2.3 | |
| TYPO3 | =4.2.4 | |
| TYPO3 | =4.2.5 | |
| TYPO3 | =4.2.6 | |
| TYPO3 | =4.2.7 | |
| TYPO3 | =4.2.8 | |
| TYPO3 | =4.2.9 | |
| TYPO3 | =4.3 | |
| TYPO3 | =4.3-alpha1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://secunia.com/advisories/37122
- http://www.vupen.com/english/advisories/2009/3009
- http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
- http://www.securityfocus.com/bid/36801
- http://marc.info/?l=oss-security&m=125632856206736&w=2
- http://marc.info/?l=oss-security&m=125633199111438&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53925
- https://nvd.nist.gov/vuln/detail/CVE-2009-3633
- https://github.com/TYPO3/typo3/commit/51f3dd9804cae04575323b92a9136e5a511fe810
- https://github.com/TYPO3/typo3/commit/5d4218fad3aeda46236754004232d7e635205e7a
- https://github.com/TYPO3/typo3/commit/ef9ab2da76c2506306d835209d2a38195bdf7bcf
- https://web.archive.org/web/20101223093042/http://www.securityfocus.com/bid/36801
- https://github.com/advisories/GHSA-m7rg-85g8-28m9 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2009-3633?
CVE-2009-3633 has a severity rating that allows remote attackers to execute arbitrary web scripts or HTML via cross-site scripting vulnerabilities.
How do I fix CVE-2009-3633?
To fix CVE-2009-3633, you should upgrade to TYPO3 version 4.3beta2 or later, 4.2.10 or later, or 4.1.13 or later.
Which versions of TYPO3 are affected by CVE-2009-3633?
CVE-2009-3633 affects TYPO3 versions 4.0.13 and earlier, as well as specific earlier versions in the 4.1.x, 4.2.x, and 4.3.x series.
Is CVE-2009-3633 a cross-site scripting vulnerability?
Yes, CVE-2009-3633 is identified as a cross-site scripting (XSS) vulnerability.
Can CVE-2009-3633 lead to data theft?
Yes, CVE-2009-3633 could potentially allow attackers to steal sensitive information through injected scripts.
- agent/weakness
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m7rg-85g8-28m9
- alias/CVE-2009-3633
- agent/software-canonical-lookup
- agent/author
- agent/remedy
- agent/severity
- agent/references
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/composer
- vendor/typo3
- canonical/typo3 typo3
- version/typo3 typo3/4.3-alpha1
- version/typo3 typo3/1.1
- version/typo3 typo3/4.1.11
- version/typo3 typo3/4.1.1
- version/typo3 typo3/4.1.0-beta1
- version/typo3 typo3/3.5.x
- version/typo3 typo3/4.2.4
- version/typo3 typo3/4.2.5
- version/typo3 typo3/4.1.8
- version/typo3 typo3/4.1.6
- version/typo3 typo3/0.1.2
- version/typo3 typo3/4.0.10
- version/typo3 typo3/4.2.0
- version/typo3 typo3/4.0.5
- version/typo3 typo3/4.2.8
- version/typo3 typo3/4.1.12
- version/typo3 typo3/4.0.3
- version/typo3 typo3/4.2.3
- version/typo3 typo3/1.3.0
- version/typo3 typo3/3.7.1
- version/typo3 typo3/4.1.4
- version/typo3 typo3/3.7.x
- version/typo3 typo3/1.2.0
- version/typo3 typo3/4.0.4
- version/typo3 typo3/4.2.1
- version/typo3 typo3/4.0.1
- version/typo3 typo3/4.3
- version/typo3 typo3/4.1.7
- version/typo3 typo3/4.1.0
- version/typo3 typo3/1.1.1
- version/typo3 typo3/4.1.0-rc1
- version/typo3 typo3/4.0.12
- version/typo3 typo3/4.0.2
- version/typo3 typo3/3.5
- version/typo3 typo3/4.2.6
- version/typo3 typo3/4.0.7
- version/typo3 typo3/4.0
- version/typo3 typo3/4.1.9
- version/typo3 typo3/1.1.09
- version/typo3 typo3/4.2.2
- version/typo3 typo3/3.8.x
- version/typo3 typo3/4.0.8
- version/typo3 typo3/3.6.x
- version/typo3 typo3/1.3.2
- version/typo3 typo3/3.0
- version/typo3 typo3/3.7.0
- version/typo3 typo3/3.3.x
- version/typo3 typo3/4.1.3
- version/typo3 typo3/1.1.10
- version/typo3 typo3/4.2.7
- version/typo3 typo3/4.0.6
- version/typo3 typo3/4.0.9
- version/typo3 typo3/1.0.14
- version/typo3 typo3/4.1.5
- version/typo3 typo3/3.8
- version/typo3 typo3/4.1.10
- version/typo3 typo3/4.1.2
- version/typo3 typo3/4.2.9
- version/typo3 typo3/4.0.11