TYPO3 Security Misconfiguration for Backend User Accounts
High severity
GitHub Reviewed
Published
Jun 7, 2024
to the GitHub Advisory Database
•
Updated Jun 7, 2024
Package
Affected versions
>= 8.0.0, < 8.7.23
>= 9.0.0, < 9.5.4
Patched versions
8.7.23
9.5.4
Description
Published to the GitHub Advisory Database
Jun 7, 2024
Reviewed
Jun 7, 2024
Last updated
Jun 7, 2024
When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following:
Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.
This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.
References