CVE-2009-3635

The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the passwords md5 hash as a credential.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Typo3	Typo3	*	4.0.12 (including)
Typo3	Typo3	0.1.2 (including)	0.1.2 (including)
Typo3	Typo3	1.0.14 (including)	1.0.14 (including)
Typo3	Typo3	1.1 (including)	1.1 (including)
Typo3	Typo3	1.1.1 (including)	1.1.1 (including)
Typo3	Typo3	1.1.09 (including)	1.1.09 (including)
Typo3	Typo3	1.1.10 (including)	1.1.10 (including)
Typo3	Typo3	1.2.0 (including)	1.2.0 (including)
Typo3	Typo3	1.3.0 (including)	1.3.0 (including)
Typo3	Typo3	1.3.2 (including)	1.3.2 (including)
Typo3	Typo3	3.0 (including)	3.0 (including)
Typo3	Typo3	3.3.x (including)	3.3.x (including)
Typo3	Typo3	3.5 (including)	3.5 (including)
Typo3	Typo3	3.5.x (including)	3.5.x (including)
Typo3	Typo3	3.6.x (including)	3.6.x (including)
Typo3	Typo3	3.7.0 (including)	3.7.0 (including)
Typo3	Typo3	3.7.1 (including)	3.7.1 (including)
Typo3	Typo3	3.7.x (including)	3.7.x (including)
Typo3	Typo3	3.8 (including)	3.8 (including)
Typo3	Typo3	3.8.x (including)	3.8.x (including)
Typo3	Typo3	4.0 (including)	4.0 (including)
Typo3	Typo3	4.0.1 (including)	4.0.1 (including)
Typo3	Typo3	4.0.2 (including)	4.0.2 (including)
Typo3	Typo3	4.0.3 (including)	4.0.3 (including)
Typo3	Typo3	4.0.4 (including)	4.0.4 (including)
Typo3	Typo3	4.0.5 (including)	4.0.5 (including)
Typo3	Typo3	4.0.6 (including)	4.0.6 (including)
Typo3	Typo3	4.0.7 (including)	4.0.7 (including)
Typo3	Typo3	4.0.8 (including)	4.0.8 (including)
Typo3	Typo3	4.0.9 (including)	4.0.9 (including)
Typo3	Typo3	4.0.10 (including)	4.0.10 (including)
Typo3	Typo3	4.0.11 (including)	4.0.11 (including)
Typo3	Typo3	4.1.0 (including)	4.1.0 (including)
Typo3	Typo3	4.1.0-beta1 (including)	4.1.0-beta1 (including)
Typo3	Typo3	4.1.0-rc1 (including)	4.1.0-rc1 (including)
Typo3	Typo3	4.1.1 (including)	4.1.1 (including)
Typo3	Typo3	4.1.2 (including)	4.1.2 (including)
Typo3	Typo3	4.1.3 (including)	4.1.3 (including)
Typo3	Typo3	4.1.4 (including)	4.1.4 (including)
Typo3	Typo3	4.1.5 (including)	4.1.5 (including)
Typo3	Typo3	4.1.6 (including)	4.1.6 (including)
Typo3	Typo3	4.1.7 (including)	4.1.7 (including)
Typo3	Typo3	4.1.8 (including)	4.1.8 (including)
Typo3	Typo3	4.1.9 (including)	4.1.9 (including)
Typo3	Typo3	4.1.10 (including)	4.1.10 (including)
Typo3	Typo3	4.1.11 (including)	4.1.11 (including)
Typo3	Typo3	4.1.12 (including)	4.1.12 (including)
Typo3	Typo3	4.2.0 (including)	4.2.0 (including)
Typo3	Typo3	4.2.1 (including)	4.2.1 (including)
Typo3	Typo3	4.2.2 (including)	4.2.2 (including)
Typo3	Typo3	4.2.3 (including)	4.2.3 (including)
Typo3	Typo3	4.2.4 (including)	4.2.4 (including)
Typo3	Typo3	4.2.5 (including)	4.2.5 (including)
Typo3	Typo3	4.2.6 (including)	4.2.6 (including)
Typo3	Typo3	4.2.7 (including)	4.2.7 (including)
Typo3	Typo3	4.2.8 (including)	4.2.8 (including)
Typo3	Typo3	4.2.9 (including)	4.2.9 (including)
Typo3	Typo3	4.3 (including)	4.3 (including)
Typo3	Typo3	4.3-alpha1 (including)	4.3-alpha1 (including)
Typo3-src	Ubuntu	dapper	*
Typo3-src	Ubuntu	hardy	*
Typo3-src	Ubuntu	intrepid	*
Typo3-src	Ubuntu	jaunty	*
Typo3-src	Ubuntu	karmic	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-3635
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

References

CVE-2009-3635

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References