GHSA-74w6-ww7w-45j9

Source

https://github.com/advisories/GHSA-74w6-ww7w-45j9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-74w6-ww7w-45j9/GHSA-74w6-ww7w-45j9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-74w6-ww7w-45j9

Aliases

CVE-2009-0258

Published

2022-05-02T03:13:52Z

Modified

2024-01-23T18:26:33.754576Z

Summary

Indexed Search Engine for TYPO3 Command Execution via Metacharacter Injection

Details

The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.

Database specific

{
    "nvd_published_at": "2009-01-22T23:30:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-78"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-23T18:11:51Z"
}

References

Affected packages

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.10

Database specific

{
    "last_known_affected_version_range": "<= 4.0.9"
}

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.1.8

Database specific

{
    "last_known_affected_version_range": "<= 4.1.7"
}

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.2.4

Database specific

{
    "last_known_affected_version_range": "<= 4.2.3"
}