CVE-2025-24856

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-24856

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24856.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-24856

Aliases

GHSA-hj78-p4h7-m5fv

Published

2025-03-16T04:15:14Z

Modified

2025-03-18T09:02:58.941453Z

Summary

[none]

Details

An issue was discovered in the oidc (aka OpenID Connect Authentication) extension before 4.0.0 for TYPO3. The account linking logic allows a pre-hijacking attack, leading to Account Takeover. The attack can only be exploited if the following requirements are met: (1) an attacker can anticipate the e-mail address of the user, (2) an attacker can register a public frontend user account using that e-mail address before the user's first OIDC login, and (3) the IDP returns an email field containing the e-mail address of the user,

References

Affected packages

Git / github.com/xperseguers/t3ext-oidc

Affected ranges

Type: GIT
Repo: https://github.com/xperseguers/t3ext-oidc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

877e09f6faf4c87bbb41233112ec7e30d3c902b3

Affected versions

0.*

0.1.0

0.2.0

0.5.0

1.*

1.0.0

1.1.0

1.2.0

2.*

2.0.0

2.1.0

v3.*

v3.0.0