CVE-2011-4627: Typo3 Information Disclosure
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.55028%
CWE
Published
4/22/2022
Updated
1/12/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
typo3/cms | composer | < 4.3.12 | 4.3.12 |
typo3/cms | composer | >= 4.4.0, < 4.4.9 | 4.4.9 |
typo3/cms | composer | >= 4.5.0, < 4.5.4 | 4.5.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key issues in authentication handling: 1) Different HTTP headers for username/password failures enabled user enumeration. 2) Authentication delay bypass through crafted requests. The core authentication classes (t3lib_beUserAuth
) handling credential validation (checkAuthentication()
) and authentication flow (authUser()
) would be responsible for these behaviors. The TYPO3 advisory explicitly mentions these authentication-related information leaks as subcomponents of the vulnerability. While exact pre-patch code isn't available, these functions are central to backend authentication and match the described vulnerability patterns with high confidence.