CVE-2022-23501

MEDIUM

TYPO3 < 8.7.49, 9.5.38, 10.4.33, 11.5.20, 12.1.1 - Improper Authentication via Username Ambiguity

Title source: llm

Description

TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

References (1)

Core 1

Core References

Third Party Advisory x_refsource_confirm

https://github.com/TYPO3/typo3/security/advisories/GHSA-jfp7-79g7-89rf

Scores

CVSS v3 5.9

EPSS 0.0023

EPSS Percentile 45.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (3)

typo3/cms 10.0.0 - 10.4.33Packagist

typo3/cms-core 0 - 8.7.49Packagist

typo3/typo3 < 8.7.49

Published Dec 14, 2022

Tracked Since Feb 18, 2026