5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-6xh8-8pfv-53vx

GHSA-6xh8-8pfv-53vx: Authentication Bypass in TYPO3 CMS

The default authentication service misses to invalidate empty strings as password. Therefore it is possible to authenticate backend and frontend users without password set in the database. Note: TYPO3 does not allow to create user accounts without a password. Your TYPO3 installation might only be affected if there is a third party component creating user accounts without password by directly manipulating the database.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-6xh8-8pfv-53vx

GHSA-6xh8-8pfv-53vx:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms	composer	>= 6.2.0, < 6.2.20	6.2.20
typo3/cms	composer	>= 7.6.0, < 7.6.5	7.6.5
typo3/cms	composer	>= 8.0.0, < 8.0.1	8.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers around improper password validation in TYPO3's core authentication service. The authUser method is the primary authentication entry point that would process password validation. The advisory explicitly identifies the authentication service as the vulnerable component, and this method would contain the logic that failed to reject empty passwords when the database contained empty password hashes (from third-party manipulation). This matches the CWE-287 pattern where authentication checks are incomplete.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-6xh8-8pfv-53vx: Authentication Bypass in TYPO3 CMS

GHSA-6xh8-8pfv-53vx:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

5.4

5.4

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-6xh8-8pfv-53vx: Authentication Bypass in TYPO3 CMS

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI