Fluid Attacks Database

Description

TYPO3 CMS vulnerable to Weak Authentication in Frontend Login

Problem

Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary.

Solution

Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

References

TYPO3-CORE-SA-2022-013

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	typo3/cms-core	>=0 <8.7.49 \|\| >=9.0.0 <9.5.38 \|\| >=10.0.0 <10.4.33 \|\| >=11.0.0 <11.5.20 \|\| >=12.0.0 <12.1.1	8.7.49, 9.5.38, 10.4.33, 11.5.20, 12.1.1
packagist	typo3/cms	>=10.0.0 <10.4.33 \|\| >=11.0.0 <11.5.20 \|\| >=12.0.0 <12.1.1	10.4.33, 11.5.20, 12.1.1

Aliases

1. CVE-2022-235012. NVD-2022-235013. OSV-2022-235014. GHSA-jfp7-79g7-89rf5. GCVE-2022-23501

References

1. https://github.com/TYPO3/typo3/security/advisories/GHSA-jfp7-79g7-89rf2. https://github.com/TYPO3/typo3/commit/28be9cdb3fed02ce4cfc6fa2d39f7d8e2266eced3. https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23501.yaml4. https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23501.yaml5. https://typo3.org/security/advisory/typo3-core-sa-2022-013

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.