Miggo Logo

CVE-2011-4627: Typo3 Information Disclosure

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.55028%
Published
4/22/2022
Updated
1/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cmscomposer< 4.3.124.3.12
typo3/cmscomposer>= 4.4.0, < 4.4.94.4.9
typo3/cmscomposer>= 4.5.0, < 4.5.44.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues in authentication handling: 1) Different HTTP headers for username/password failures enabled user enumeration. 2) Authentication delay bypass through crafted requests. The core authentication classes (t3lib_beUserAuth) handling credential validation (checkAuthentication()) and authentication flow (authUser()) would be responsible for these behaviors. The TYPO3 advisory explicitly mentions these authentication-related information leaks as subcomponents of the vulnerability. While exact pre-patch code isn't available, these functions are central to backend authentication and match the described vulnerability patterns with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

TYPO* ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows In*orm*tion *is*losur* on t** ***k*n*.

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s in *ut**nti**tion **n*lin*: *) *i***r*nt *TTP *****rs *or us*rn*m*/p*sswor* **ilur*s *n**l** us*r *num*r*tion. *) *ut**nti**tion **l*y *yp*ss t*rou** *r**t** r*qu*sts. T** *or* *ut**nti**tion *l*ss*s (`t*li