CVE-2024-25119 — Sensitive Information Exposure in Typo3

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

4.9MEDIUMNVD

EPSS

0.3%

top 47.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 Cms-core

Timeline

PublishedFeb 13

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. Users are adv…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

▶NVDtypo3/typo38.0.0 — 8.7.57+5

▶Packagisttypo3/cms-core8.0.0 — 8.7.57+5

▶CVEListV5typo3/typo36 versions+5

🔴Vulnerability Details

CVEList

Information Disclosure of Encryption Key in TYPO3 Install Tool↗2024-02-13

▶

OSV

TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key↗2024-02-13

▶

GHSA

TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key↗2024-02-13

▶