Security Misconfiguration

Affecting typo3/cms package, versions >=8.0.0, <8.7.23 || >=9.0.0, <9.5.4

Do your applications use this vulnerable package? Test your applications

Overview

typo3/cms is a free open source Content Management Framework.

Affected versions of this package are vulnerable to Security Misconfiguration. When trying to change the type of an existing backend user, the backend form is reloaded in order to reflect changed configuration possibilities. This can lead to an account with empty credentials. This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.

Remediation

Upgrade typo3/cms to version 8.7.23, 9.5.4 or higher.

References

CVSS Score

8.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
Credit
Oliver Eglseder
CWE
CWE-288
Snyk ID
SNYK-PHP-TYPO3CMS-73594
Disclosed
22 Jan, 2019
Published
22 Jan, 2019