-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| typo3/cms-core | composer | >= 7.0.0, < 7.6.58 | 7.6.58 |
| typo3/cms-core | composer | >= 8.0.0, < 8.7.48 | 8.7.48 |
| typo3/cms-core | composer | >= 9.0.0, < 9.5.37 | 9.5.37 |
| typo3/cms-core | composer | >= 10.0.0, < 10.4.32 | 10.4.32 |
| typo3/cms-core | composer | >= 11.0.0, < 11.5.16 | 11.5.16 |
| typo3/cms | composer | >= 10.0.0, < 10.4.32 | 10.4.32 |
| typo3/cms | composer | >= 11.0.0, < 11.5.16 | 11.5.16 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from timing discrepancies during authentication. The checkAuthentication method controlled the authentication flow but lacked code to simulate delays for invalid users, making response times leak user existence. The authUser method's password validation for valid users created a baseline timing difference. The fix introduced mimicAuthUser in AuthenticationService and triggered it in checkAuthentication to eliminate this discrepancy. Third-party authentication services without mimicAuthUser implementations would also be vulnerable, but the core issue resides in the unpatched checkAuthentication flow and authUser's lack of mitigation.
PHPPHPOngoing coverage of React2Shell