CVE-2014-3946 — Typo3 Information Disclosure

Description

Failing to respect user groups of logged in users when caching queries, Extbase is susceptible to information disclosure. The query caching (introduced in Extbase 6.2) used to cache queries that query results for a specific user group were presented to a different group.

How to fix CVE-2014-3946

To remediate CVE-2014-3946, upgrade the affected package to a fixed version below.

Packagist/typo3/cms—upgrade to 6.2.3 or later

Is CVE-2014-3946 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.2.0, < 6.2.3

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3946
PATCHgithub.com/TYPO3/typo3
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2014-3946.yaml
WEBtypo3.org/security/advisory/typo3-core-sa-2014-001