CVE-2009-3634
Description
Cross-site scripting (XSS) vulnerability in the Frontend Login Box (aka felogin) subcomponent in TYPO3 4.2.0 through 4.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in TYPO3 Frontend Login Box (felogin) allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
Vulnerability
The Frontend Login Box (felogin) subcomponent in TYPO3 versions 4.2.0 through 4.2.6 contains a cross-site scripting (XSS) vulnerability. Unspecified parameters are not properly sanitized before being reflected back to the user, enabling injection of arbitrary web script or HTML [1].
Exploitation
An attacker can exploit this flaw by crafting a malicious URL containing injected script in the vulnerable parameter. No authentication is required; the attacker only needs to trick a victim into visiting the crafted link. The script executes in the victim's browser within the context of the TYPO3 site.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive data. The attack operates at the privilege level of the victim user.
Mitigation
The vulnerability is fixed in TYPO3 versions 4.2.7 and later, as documented in TYPO3 Security Bulletin SA-2009-016 [1]. Users unable to upgrade should apply the patch provided in that bulletin. No other workarounds are disclosed in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*
- Range: >=4.2.0, <=4.2.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/nvdPatchVendor Advisory
- www.securityfocus.com/bid/36801nvdPatch
- www.vupen.com/english/advisories/2009/3009nvdPatchVendor Advisory
- secunia.com/advisories/37122nvdVendor Advisory
- marc.infonvd
- marc.infonvd
- exchange.xforce.ibmcloud.com/vulnerabilities/53926nvd
News mentions
0No linked articles in our index yet.