Description
TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/TYPO3/typo3/security/advisories/GHSA-38r2-5695-334w
Vendor Advisory x_refsource_misc
https://typo3.org/security/advisory/typo3-core-sa-2024-003
Scores
CVSS v3
4.3
EPSS
0.0051
EPSS Percentile
66.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (3)
typo3/cms-core
8.0.0 - 8.7.57Packagist
typo3/typo3
13.0.0
typo3/typo3
8.0.0 - 8.7.57
Published
Feb 13, 2024
Tracked Since
Feb 18, 2026