Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-25118
Summary
TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. This issue affects the typo3 packages versions 8.0.0 through 8.7.56, 9.0.0 through 9.5.45, 10.0.0 through 10.4.42, 11.0.0 through 11.5.34, 12.0.0 through 12.4.10, and 13.0.0.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- LOW
- LOW
- NONE
CWE-200 - Information Exposure
An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.
Advisory Timeline
- Published