GHSA-rxc9-f2x6-qh4w: TYPO3 Security Misconfiguration for Backend User Accounts

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-rxc9-f2x6-qh4w

TYPO3 Security Misconfiguration for Backend User Accounts

High severity GitHub Reviewed Published May 30, 2024 to the GitHub Advisory Database • Updated May 30, 2024

Package

composer typo3/cms-core (Composer)

Affected versions

>= 8.0.0, < 8.7.23

>= 9.0.0, < 9.5.4

Patched versions

8.7.23

9.5.4

When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following:

• account contains empty login credentials (username and/or password)
• account is incomplete and contains weak credentials (username and/or password)

Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.

This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.

References

• TYPO3-CMS/core@1e0c7a6
• TYPO3-CMS/core@88c53ed
• https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-01-22-2.yaml
• https://typo3.org/security/advisory/typo3-core-sa-2019-002

Published to the GitHub Advisory Database

May 30, 2024

Last updated

May 30, 2024