-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| friendsoftypo3/openid | composer | >= 4.5.0, < 4.5.31 | 4.5.31 |
| friendsoftypo3/openid | composer | >= 4.7.0, < 4.7.16 | 4.7.16 |
| friendsoftypo3/openid | composer | >= 6.0.0, < 6.0.11 | 6.0.11 |
| friendsoftypo3/openid | composer | >= 6.1.0, < 6.1.6 | 6.1.6 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper validation of user-controlled redirect URLs in the OpenID flow. TYPO3's security bulletin explicitly states the OpenID extension failed to validate user-provided input for redirects. In OpenID implementations, functions handling authentication responses (e.g., processing 'openid.return_to') and login handlers are typical points where redirect URLs are processed. Even without direct access to the patch, the CWE-20 classification and the nature of open redirect vulnerabilities strongly suggest these functions would handle redirect parameters without proper validation. The high confidence comes from the explicit advisory details and standard OpenID implementation patterns.
Ongoing coverage of React2Shell