CVE-2017-6370

MEDIUM

Typo3 - Cleartext Transmission

Title source: rule

Description

TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.

Exploits (1)

nomisec WRITEUP 2 stars

by faizzaidi · poc

https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97071

Scores

CVSS v3 5.3

EPSS 0.0011

EPSS Percentile 29.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-319

Status published

Affected Products (3)

typo3/typo3

typo3/cms Packagist

n/a/n/a

Timeline

Published Mar 17, 2017

Tracked Since Feb 18, 2026