GHSA-6xh8-8pfv-53vx

Source

https://github.com/advisories/GHSA-6xh8-8pfv-53vx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-6xh8-8pfv-53vx/GHSA-6xh8-8pfv-53vx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6xh8-8pfv-53vx

Published

2024-06-05T14:17:20Z

Modified

2024-12-02T05:54:21.159681Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Authentication Bypass in TYPO3 CMS

Details

The default authentication service misses to invalidate empty strings as password. Therefore it is possible to authenticate backend and frontend users without password set in the database. Note: TYPO3 does not allow to create user accounts without a password. Your TYPO3 installation might only be affected if there is a third party component creating user accounts without password by directly manipulating the database.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-05T14:17:20Z"
}

References

Affected packages

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.20

Affected versions

6.*

6.2.0

6.2.1

6.2.2

6.2.3

6.2.4

6.2.5

6.2.6

6.2.7

6.2.8

6.2.9

6.2.10-rc1

6.2.10

6.2.11

6.2.12

6.2.13

6.2.14

6.2.15

6.2.16

6.2.17

6.2.18

6.2.19

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.6.0

Fixed

7.6.5

Affected versions

7.*

7.6.0

7.6.1

7.6.2

7.6.3

7.6.4

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.1

Affected versions

8.*

8.0.0