CVE-2009-0258 — Improper Input Validation in CMS

CWE-20 — Improper Input Validation CWE-78 — OS Command Injection4 documents4 sources

Severity

10.0CRITICALNVD

EPSS

3.4%

top 12.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 CMS Typo3

Timeline

PublishedJan 22

Latest updateMay 2

Description

The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages2 packages

▶Packagisttypo3/cms4.0.0 — 4.0.10+2

▶NVDtypo3/typo322 versions+21

🔴Vulnerability Details

GHSA

Indexed Search Engine for TYPO3 Command Execution via Metacharacter Injection↗2022-05-02

▶

OSV

Indexed Search Engine for TYPO3 Command Execution via Metacharacter Injection↗2022-05-02

▶

CVEList

CVE-2009-0258: The Indexed Search Engine (indexed_search) system extension in TYPO3 4↗2009-01-22

▶