CVE-2020-26228

Published: Nov 23, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.

Affected (2)

Products: Typo3: Typo3

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Typo3 Typo3	From 10.0.0 to 10.4.10
Typo3 Typo3	From 9.0.0 to 9.5.23

Related CWEs

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References (4)

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52

Source: security-advisories@github.com

Third Party Advisory

https://typo3.org/security/advisory/typo3-core-sa-2020-011

Source: security-advisories@github.com

Vendor Advisory

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://typo3.org/security/advisory/typo3-core-sa-2020-011

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.