CVE-2025-24856

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-24856
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24856.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-24856
Aliases
Published
2025-03-16T04:15:14Z
Modified
2025-03-18T09:02:58.941453Z
Summary
[none]
Details

An issue was discovered in the oidc (aka OpenID Connect Authentication) extension before 4.0.0 for TYPO3. The account linking logic allows a pre-hijacking attack, leading to Account Takeover. The attack can only be exploited if the following requirements are met: (1) an attacker can anticipate the e-mail address of the user, (2) an attacker can register a public frontend user account using that e-mail address before the user's first OIDC login, and (3) the IDP returns an email field containing the e-mail address of the user,

References

Affected packages

Git / github.com/xperseguers/t3ext-oidc

Affected ranges

Type
GIT
Repo
https://github.com/xperseguers/t3ext-oidc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.1.0
0.2.0
0.5.0

1.*

1.0.0
1.1.0
1.2.0

2.*

2.0.0
2.1.0

v3.*

v3.0.0