CVE-2020-11063

LOW

TYPO3 CMS <10.4.1 - Info Disclosure

Title source: llm

Description

In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.

References (3)

[Third Party Advisory] https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-347x-877p-hcwx

[Patch] https://github.com/TYPO3/typo3/commit/14929b98ecda0ce67329b0f25ca7c01ee85df574

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/TYPO3/typo3/security/advisories/GHSA-347x-877p-hcwx

Scores

CVSS v3 3.7

EPSS 0.0029

EPSS Percentile 52.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-204 CWE-203

Status published

Affected Products (4)

typo3/typo3

typo3/typo3

typo3/cms-core < 10.4.2Packagist

typo3/cms < 10.4.2Packagist

Timeline

Published May 13, 2020

Tracked Since Feb 18, 2026