Miggo Logo

GHSA-rxc9-f2x6-qh4w: TYPO3 Security Misconfiguration for Backend User Accounts

7.5

CVSS Score
3.1

Basic Information

CVE ID
-
EPSS Score
-
Published
5/30/2024
Updated
5/30/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 8.0.0, < 8.7.238.7.23
typo3/cms-corecomposer>= 9.0.0, < 9.5.49.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability arises from the absence of security checks in the DataHandler processing when creating or modifying backend users. The patch introduced a new hook (BackendUserPasswordCheck::processDatamap_preProcessFieldArray) to enforce non-empty credentials and set secure defaults. In vulnerable versions, this hook was missing, allowing empty/weak credentials to persist. However, the core DataHandler functions themselves are not inherently vulnerable; the issue stems from the lack of the security hook and configuration defaults. Thus, no specific vulnerable functions are present in the code—the vulnerability is due to missing safeguards rather than flawed existing functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n usin* t** TYPO* ***k*n* in or**r to *r**t* n*w ***k*n* us*r ***ounts, **t***s* r**or*s *ont*inin* ins**ur* or *mpty *r***nti*ls mi**t ** p*rsist**. W**n t** typ* o* us*r ***ount is ***n*** - w*i** mi**t ** *ntity typ* or t** **min *l** *or ***k*

Reasoning

T** vuln*r**ility *ris*s *rom t** **s*n** o* s**urity ****ks in t** **t***n*l*r pro**ssin* w**n *r**tin* or mo*i*yin* ***k*n* us*rs. T** p*t** intro*u*** * n*w *ook (***k*n*Us*rP*sswor*****k::pro**ss**t*m*p_pr*Pro**ss*i*l**rr*y) to *n*or** non-*mpty