Miggo Logo
Miggo Vulnerability Database
CVE-2014-3946

CVE-2014-3946: Typo3 Information Disclosure

4

CVSS Score

Basic Information

CVE ID
CVE-2014-3946
GHSA ID
GHSA-vccp-5v5h-p8m6
EPSS Score
0.36567%
CWE
CWE-200
Published
5/17/2022
Updated
2/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cmscomposer>= 6.2.0, < 6.2.36.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper cache key generation in Extbase's query caching mechanism. The root cause is the absence of user group context in cache identifiers, which allowed cross-group data leakage. The functions responsible for generating cache keys (Typo3DbBackend::getCacheIdentifier) and executing/caching queries (Query::execute) are directly implicated. These functions would have been patched to include user group information in the cache key, aligning with the vulnerability description and resolution in TYPO3 6.2.3.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ilin* to r*sp**t us*r *roups o* lo**** in us*rs w**n ****in* qu*ri*s, *xt**s* is sus**pti*l* to in*orm*tion *is*losur*. T** qu*ry ****in* (intro*u*** in *xt**s* *.*) us** to ***** qu*ri*s t**t qu*ry r*sults *or * sp**i*i* us*r *roup w*r* pr*s*nt**

Reasoning

T** vuln*r**ility st*ms *rom improp*r ***** k*y **n*r*tion in *xt**s*'s qu*ry ****in* m****nism. T** root **us* is t** **s*n** o* us*r *roup *ont*xt in ***** i**nti*i*rs, w*i** *llow** *ross-*roup **t* l**k***. T** *un*tions r*sponsi*l* *or **n*r*tin