7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-rxc9-f2x6-qh4w

EPSS Score

CWE

CWE-287

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-rxc9-f2x6-qh4w

GHSA-rxc9-f2x6-qh4w: TYPO3 Security Misconfiguration for Backend User Accounts

When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following:

account contains empty login credentials (username and/or password)
account is incomplete and contains weak credentials (username and/or password)

Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.

This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-rxc9-f2x6-qh4w

GHSA-rxc9-f2x6-qh4w:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-rxc9-f2x6-qh4w

EPSS Score

CWE

CWE-287

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 8.0.0, < 8.7.23	8.7.23
typo3/cms-core	composer	>= 9.0.0, < 9.5.4	9.5.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from the absence of security checks in the DataHandler processing when creating or modifying backend users. The patch introduced a new hook (BackendUserPasswordCheck::processDatamap_preProcessFieldArray) to enforce non-empty credentials and set secure defaults. In vulnerable versions, this hook was missing, allowing empty/weak credentials to persist. However, the core DataHandler functions themselves are not inherently vulnerable; the issue stems from the lack of the security hook and configuration defaults. Thus, no specific vulnerable functions are present in the code—the vulnerability is due to missing safeguards rather than flawed existing functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-rxc9-f2x6-qh4w: TYPO3 Security Misconfiguration for Backend User Accounts

GHSA-rxc9-f2x6-qh4w:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-rxc9-f2x6-qh4w: TYPO3 Security Misconfiguration for Backend User Accounts

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI