CVE-2020-11063 – typo3/cms-core

Package

Manager: composer
Name: typo3/cms-core
Vulnerable Version: >=10.0.0 <10.4.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00292 pctl0.52124

Details

Information Disclosure in Password Reset In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-001

Metadata

Created: 2020-05-13T22:19:21Z
Modified: 2024-12-03T21:36:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-347x-877p-hcwx/GHSA-347x-877p-hcwx.json
CWE IDs: ["CWE-203", "CWE-204"]
Alternative ID: GHSA-347x-877p-hcwx
Finding: F047
Auto approve: 1