CVE-2020-11063

LOW

TYPO3 CMS <10.4.1 - Info Disclosure

Title source: llm

Description

In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.

References (3)

[Third Party Advisory] https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-347x-877p-hcwx

[Patch] https://github.com/TYPO3/typo3/commit/14929b98ecda0ce67329b0f25ca7c01ee85df574

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/TYPO3/typo3/security/advisories/GHSA-347x-877p-hcwx

Scores

CVSS v3 3.7

EPSS 0.0029

EPSS Percentile 52.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-204 CWE-203

Status published

Products (4)

typo3/cms 10.0.0 - 10.4.2Packagist

typo3/cms-core 10.0.0 - 10.4.2Packagist

typo3/typo3 10.4.0

typo3/typo3 10.4.1

Published May 13, 2020

Tracked Since Feb 18, 2026