Several remote vulnerabilities have been discovered in the TYPO3 web content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3628 The Backend subcomponent allows remote authenticated users to determine an encryption key via crafted input to a form field. CVE-2009-3629 Multiple cross-site scripting vulnerabilities in the Backend subcomponent allow remote authenticated users to inject arbitrary web script or HTML. CVE-2009-3630 The Backend subcomponent allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters. CVE-2009-3631 The Backend subcomponent, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename. CVE-2009-3632 SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent allows remote authenticated users to execute arbitrary SQL commands. CVE-2009-3633 Cross-site scripting vulnerability in allows remote attackers to inject arbitrary web script. CVE-2009-3634 Cross-site scripting vulnerability in the Frontend Login Box subcomponent allows remote attackers to inject arbitrary web script or HTML. CVE-2009-3635 The Install Tool subcomponent allows remote attackers to gain access by using only the password"s md5 hash as a credential. CVE-2009-3636 Cross-site scripting vulnerability in the Install Tool subcomponen allows remote attackers to inject arbitrary web script or HTML. For the old stable distribution , these problems have been fixed in version 4.0.2+debian-9. For the stable distribution , these problems have been fixed in version 4.2.5-1+lenny2. For the unstable distribution , these problems have been fixed in version 4.2.10-1. We recommend that you upgrade your typo3-src package.