GitHub Advisory DatabaseGHSA-JFP7-79G7-89RFTYPO3 CMS vulnerable to Weak Authentication in Frontend Login
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
28.1%
Problem
Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary.
Solution
Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.
References
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| typo3/cms | lt | 12.1.1 | |
| typo3/cms | lt | 11.5.20 | |
| typo3/cms | lt | 10.4.33 | |
| typo3/cms-core | lt | 12.1.1 | |
| typo3/cms-core | lt | 11.5.20 | |
| typo3/cms-core | lt | 10.4.33 | |
| typo3/cms-core | lt | 9.5.38 | |
| typo3/cms-core | lt | 8.7.49 |
References
github.com/advisories/GHSA-jfp7-79g7-89rf
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23501.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23501.yaml
github.com/TYPO3/typo3/commit/28be9cdb3fed02ce4cfc6fa2d39f7d8e2266eced
github.com/TYPO3/typo3/security/advisories/GHSA-jfp7-79g7-89rf
nvd.nist.gov/vuln/detail/CVE-2022-23501
typo3.org/security/advisory/typo3-core-sa-2022-013
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
28.1%