CVE-2021-21339Cleartext Storage of Sensitive Info in Typo3

CWE-312Cleartext Storage of Sensitive Info4 documents4 sources
Severity
7.5HIGHNVD
CNA5.9
EPSS
0.1%
top 67.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Typo3Typo3 CMSTypo3 Cms-core+1 more
Timeline
PublishedMar 23

Description

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

Packagisttypo3/cms10.0.010.4.14+2
NVDtypo3/typo36.2.06.2.57+5
Packagisttypo3/cms-core6.2.06.2.57+5
CVEListV5typo3/typo3.cms6 versions+5

🔴Vulnerability Details

3
CVEList
Cleartext storage of session identifier2021-03-23
GHSA
Cleartext storage of session identifier2021-03-23
OSV
Cleartext storage of session identifier2021-03-23
CVE-2021-21339 — Cleartext Storage of Sensitive Info | cvebase