CVE-2022-23501 — Improper Authentication in Typo3

CWE-287 — Improper Authentication CWE-302 — Authentication Bypass by Assumed-Immutable Data4 documents4 sources

Severity

6.5MEDIUMNVD

CNA5.9

EPSS

0.2%

top 54.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 CMS Typo3 Cms-core

Timeline

PublishedDec 14

Description

TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Packagisttypo3/cms10.0.0 — 10.4.33+2

▶NVDtypo3/typo39.0.0 — 9.5.38+4

▶Packagisttypo3/cms-core9.0.0 — 9.5.38+4

▶CVEListV5typo3/typo35 versions+4

🔴Vulnerability Details

CVEList

TYPO3 vulnerable to Improper Authentication in Frontend Login↗2022-12-14

▶

GHSA

TYPO3 CMS vulnerable to Weak Authentication in Frontend Login↗2022-12-13

▶

OSV

TYPO3 CMS vulnerable to Weak Authentication in Frontend Login↗2022-12-13

▶