CVE-2009-4159: TYPO3 Direct Mail Extension Vulnerable to Cross-Site Scripting (XSS)

May 2, 2022 (updated April 10, 2025)

Cross-site scripting (XSS) vulnerability in the newsletter configuration feature in the backend module in the Direct Mail (direct_mail) extension 2.6.4 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

References

github.com/advisories/GHSA-7x6f-jvmg-6fgp
github.com/kartolo/direct_mail
nvd.nist.gov/vuln/detail/CVE-2009-4159
web.archive.org/web/20110108051351/http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-018
web.archive.org/web/20200228220911/http://www.securityfocus.com/bid/37166

Code Behaviors & Features

Detect and mitigate CVE-2009-4159 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →