CVE-2009-0815: TYPO3 leaks a hash secret in an error message

May 2, 2022 (updated April 10, 2025)

The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.

References

github.com/TYPO3/typo3
github.com/advisories/GHSA-c22j-84c7-cm77
nvd.nist.gov/vuln/detail/CVE-2009-0815
web.archive.org/web/20091206080208/http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002
web.archive.org/web/20200915000000*/http://www.securitytracker.com/id?1021710

Code Behaviors & Features

Detect and mitigate CVE-2009-0815 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →