CVE-2024-25118

TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/TYPO3/typo3/security/advisories/GHSA-38r2-5695-334w	Vendor Advisory
https://typo3.org/security/advisory/typo3-core-sa-2024-003	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:typo3:typo3:13.0.0:::::::*
	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::

History

16 Oct 2024, 16:42

Type	Values Removed	Values Added
CWE	~~CWE-200~~	NVD-CWE-noinfo
CPE		cpe:2.3:a:typo3:typo3:13.0.0:::::::* cpe:2.3:a:typo3:typo3::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Typo3 Typo3 typo3
References	~~() https://github.com/TYPO3/typo3/security/advisories/GHSA-38r2-5695-334w -~~	() https://github.com/TYPO3/typo3/security/advisories/GHSA-38r2-5695-334w - Vendor Advisory
References	~~() https://typo3.org/security/advisory/typo3-core-sa-2024-003 -~~	() https://typo3.org/security/advisory/typo3-core-sa-2024-003 - Vendor Advisory

13 Feb 2024, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-13 23:15

Updated : 2024-10-16 16:42

NVD link : CVE-2024-25118

Mitre link : CVE-2024-25118

JSON object : View

Products Affected

typo3

typo3

CWE

NVD-CWE-noinfo

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-38r2-5695-334w", "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-38r2-5695-334w", "tags": ["Vendor Advisory"], "refsource": ""}, {"url": "https://typo3.org/security/advisory/typo3-core-sa-2024-003", "name": "https://typo3.org/security/advisory/typo3-core-sa-2024-003", "tags": ["Vendor Advisory"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2024-25118", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}}, "publishedDate": "2024-02-13T23:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:typo3:typo3:13.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "8.7.57", "versionStartIncluding": "8.0.0"}, {"cpe23Uri": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "9.5.46", "versionStartIncluding": "9.0.0"}, {"cpe23Uri": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "10.4.43", "versionStartIncluding": "10.0.0"}, {"cpe23Uri": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "11.5.35", "versionStartIncluding": "11.0.0"}, {"cpe23Uri": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "12.4.11", "versionStartIncluding": "12.0.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2024-10-16T16:42Z"}