CVE-2015-2047

Typo3 - Authentication Bypass

Title source: rule

Description

The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value.

References (8)

[Mailing List] http://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html

[Vendor Advisory] http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-001/

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1031824

[Various Sources] https://review.typo3.org/#/c/37013/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/72763

[Third Party Advisory] http://www.debian.org/security/2015/dsa-3164

[Mailing List] http://www.openwall.com/lists/oss-security/2015/02/22/4

[Mailing List] http://www.openwall.com/lists/oss-security/2015/02/22/8

Scores

EPSS 0.0077

EPSS Percentile 73.2%

Classification

CWE

CWE-287

Status draft

Affected Products (50)

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

typo3/typo3

... and 35 more

Timeline

Published Feb 23, 2015

Tracked Since Feb 18, 2026