Description
TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3 versions 9.5.28, 10.4.18, 11.3.1 contain a patch for this vulnerability.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-34fr-fhqr-7235
Vendor Advisory x_refsource_misc
https://typo3.org/security/advisory/typo3-core-sa-2021-012
Scores
CVSS v3
5.3
EPSS
0.0033
EPSS Percentile
55.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-532
Status
published
Products (3)
typo3/cms
10.0.0 - 10.4.18Packagist
typo3/cms-core
7.0.0 - 7.6.52Packagist
typo3/typo3
7.0.0 - 7.6.51
Published
Jul 20, 2021
Tracked Since
Feb 18, 2026