BIT-typo3-2020-11063

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/typo3/BIT-typo3-2020-11063.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-typo3-2020-11063

Aliases

Published

2024-03-06T11:12:09.766Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.

Database specific

{
    "cpes": [
        "cpe:2.3:a:typo3:typo3:10.4.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:typo3:typo3:10.4.1:*:*:*:*:*:*:*"
    ],
    "severity": "Low"
}

References

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-347x-877p-hcwx

Affected packages

Bitnami / typo3

Package

Name: typo3
Purl: pkg:bitnami/typo3

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

10.4.0

Last affected

10.4.0

Introduced

10.4.1

Last affected

10.4.1