7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-rxc9-f2x6-qh4w

EPSS Score

CWE

CWE-287

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-rxc9-f2x6-qh4w

GHSA-rxc9-f2x6-qh4w: TYPO3 Security Misconfiguration for Backend User Accounts

When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following:

account contains empty login credentials (username and/or password)
account is incomplete and contains weak credentials (username and/or password)

Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.

This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-rxc9-f2x6-qh4w

EPSS Score

CWE

CWE-287

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 8.0.0, < 8.7.23	8.7.23
typo3/cms-core	composer	>= 9.0.0, < 9.5.4	9.5.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from the absence of security checks in the DataHandler processing when creating or modifying backend users. The patch introduced a new hook (BackendUserPasswordCheck::processDatamap_preProcessFieldArray) to enforce non-empty credentials and set secure defaults. In vulnerable versions, this hook was missing, allowing empty/weak credentials to persist. However, the core DataHandler functions themselves are not inherently vulnerable; the issue stems from the lack of the security hook and configuration defaults. Thus, no specific vulnerable functions are present in the code—the vulnerability is due to missing safeguards rather than flawed existing functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n usin* t** TYPO* ***k*n* in or**r to *r**t* n*w ***k*n* us*r ***ounts, **t***s* r**or*s *ont*inin* ins**ur* or *mpty *r***nti*ls mi**t ** p*rsist**. W**n t** typ* o* us*r ***ount is ***n*** - w*i** mi**t ** *ntity typ* or t** **min *l** *or ***k*

Reasoning

T** vuln*r**ility *ris*s *rom t** **s*n** o* s**urity ****ks in t** **t***n*l*r pro**ssin* w**n *r**tin* or mo*i*yin* ***k*n* us*rs. T** p*t** intro*u*** * n*w *ook (***k*n*Us*rP*sswor*****k::pro**ss**t*m*p_pr*Pro**ss*i*l**rr*y) to *n*or** non-*mpty

7.5

Basic Information

Concerned about an active attack path?

GHSA-rxc9-f2x6-qh4w: TYPO3 Security Misconfiguration for Backend User Accounts

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI