Authentication Bypass in TYPO3 CMS

The default authentication service misses to invalidate empty strings as password. Therefore it is possible to authenticate backend and frontend users without password set in the database. Note: TYPO3 does not allow to create user accounts without a password. Your TYPO3 installation might only be affected if there is a third party component creating user accounts without password by directly manipulating the database.

Published: Jun 5, 2024
Updated: Jun 27, 2024
GHSA: GHSA-6xh8-8pfv-53vx
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
typo3 / cms	6.2.0	6.2.20
typo3 / cms	7.6.0	7.6.5
typo3 / cms	8.0.0	8.0.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2016-04-12-3.yaml
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-011

Vulnerability Database

Authentication Bypass in TYPO3 CMS