CVE-2022-36105 — Observable Discrepancy in CMS

CWE-203 — Observable Discrepancy4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 48.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 CMS Typo3 Cms-core Typo3

Timeline

PublishedSep 13

Latest updateSep 16

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new `MimicServiceInterface::mimicAuth…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Packagisttypo3/cms10.0.0 — 10.4.32+1

▶Packagisttypo3/cms-core7.0.0 — 7.6.58+4

▶NVDtypo3/typo37.0.0 — 7.6.57+4

▶CVEListV5typo3/typo35 versions+4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

TYPO3 CMS vulnerable to User Enumeration via Response Timing↗2022-09-16

▶

OSV

TYPO3 CMS vulnerable to User Enumeration via Response Timing↗2022-09-16

▶

CVEList

User Enumeration via Response Timing in TYPO3↗2022-09-13

▶