CVE-2020-11063 — Information Disclosure in Password Reset

Description

In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-001

How to fix CVE-2020-11063

To remediate CVE-2020-11063, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 10.4.2 or later
—upgrade to 10.4.2 or later

Is CVE-2020-11063 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 10.4.0, <= 10.4.0, >= 10.4.1, <= 10.4.1
>= 10.0.0, < 10.4.2
>= 10.0.0, < 10.4.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-11063
PATCHgithub.com/TYPO3/typo3
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11063.yaml
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11063.yaml