CVE-2014-3945 — TYPO3 vulnerable to authentication bypass via leveraging knowledge of password h

Description

The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash.

How to fix CVE-2014-3945

To remediate CVE-2014-3945, upgrade the affected package to a fixed version below.

Packagist/typo3/cms—upgrade to 6.2.0 or later

Is CVE-2014-3945 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3945
PATCHgithub.com/TYPO3/typo3
WEBtypo3.org/security/advisory/typo3-core-sa-2014-001
WEBwww.debian.org/security/2014/dsa-2942
WEBwww.openwall.com