VYPR
← All advisories
Low severityNVD Advisory· Published Dec 2, 2009· Updated Apr 23, 2026

CVE-2009-4159

CVE-2009-4159

Description

Cross-site scripting (XSS) vulnerability in the newsletter configuration feature in the backend module in the Direct Mail (direct_mail) extension 2.6.4 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-site scripting vulnerability in the Direct Mail TYPO3 extension (≤2.6.4) allows authenticated editors to inject arbitrary script via the newsletter configuration backend.

Vulnerability

The Direct Mail (direct_mail) extension for TYPO3 contains a persistent cross-site scripting (XSS) vulnerability in its backend newsletter configuration feature. The flaw exists in versions 2.6.4 and earlier; the extension does not properly sanitize user-supplied input, allowing the injection of arbitrary web script or HTML [1][3]. The vulnerable component is the backend module used by editors to administrate newsletter configurations [3].

Exploitation

An attacker must be an authenticated website editor with access to the Direct Mail backend module. By crafting specially crafted JavaScript or HTML in the newsletter configuration fields, the attacker can inject malicious code [3]. The injected script executes in the context of the backend module, potentially affecting other editors or administrators who view the configuration [1][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript or HTML in the backend of the TYPO3 installation. This can lead to session hijacking, defacement, or theft of sensitive data. Additionally, with specially crafted JavaScript, attackers may create malicious database records [3]. The impact is limited to authenticated users in the backend; however, it can escalate to broader compromise if administrative actions are performed by the victim.

Mitigation

The vulnerability is fixed in version 2.6.5, which is available from the TYPO3 extension manager and the TYPO3 extension repository [3][4]. Users of the Direct Mail extension are advised to update to 2.6.5 as soon as possible. No workaround is documented for unpatched installations. The extension is not part of the TYPO3 default installation [3].

References
  1. NVD - CVE-2009-4159
  2. the Enterprise Open Source CMS: TYPO3 Security Bulletin TYPO3-SA-2009-018: Cross-Site Scripting vulnerability in extension Direct Mail (direct_mail)
  3. Making sure you're not a bot!

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
directmailteam/direct-mailPackagist
< 2.6.52.6.5

Affected products

14
  • Dkd/Direct Mail13 versions
    cpe:2.3:a:ivan_kartolo:direct_mail:*:*:*:*:*:*:*:*+ 12 more
    • cpe:2.3:a:ivan_kartolo:direct_mail:*:*:*:*:*:*:*:*range: <=2.6.4
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ivan_kartolo:direct_mail:2.6.3:*:*:*:*:*:*:*
    • (no CPE)range: <=2.6.4
  • ghsa-coords
    pkg:composer/directmailteam/direct-mail
    Range: < 2.6.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.