GHSA-347x-877p-hcwx

Suggest an improvement
Source
https://github.com/advisories/GHSA-347x-877p-hcwx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-347x-877p-hcwx/GHSA-347x-877p-hcwx.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-347x-877p-hcwx
Aliases
Published
2020-05-13T22:19:21Z
Modified
2024-12-03T21:50:05.916210Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Information Disclosure in Password Reset
Details

In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts.

This has been fixed in 10.4.2.

References

  • https://typo3.org/security/advisory/typo3-core-sa-2020-001
Database specific
{
    "nvd_published_at": "2020-05-13T23:15:11Z",
    "cwe_ids": [
        "CWE-203",
        "CWE-204"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2020-05-13T22:16:54Z"
}
References

Affected packages

Packagist / typo3/cms-core

Package

Name
typo3/cms-core
Purl
pkg:composer/typo3/cms-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.4.2

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1

Packagist / typo3/cms

Package

Name
typo3/cms
Purl
pkg:composer/typo3/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.4.2

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1