CVE-2024-25118Sensitive Information Exposure in Typo3

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
6.5MEDIUMNVD
CNA4.3
EPSS
0.5%
top 33.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Typo3Typo3 Cms-core
Timeline
PublishedFeb 13

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There ar

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDtypo3/typo38.0.08.7.57+5
Packagisttypo3/cms-core8.0.08.7.57+5
CVEListV5typo3/typo36 versions+5

🔴Vulnerability Details

3
GHSA
TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords2024-02-13
CVEList
Information Disclosure of Hashed Passwords in TYPO3 Backend Forms2024-02-13
OSV
TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords2024-02-13
CVE-2024-25118 — Sensitive Information Exposure | cvebase