CVE-2024-25118

Description

### Problem Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to the TYPO3 framework merger Christian Kuhn and external security researchers Maximilian Beckmann, Klaus-Günther Schmidt who reported this issue, and TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2024-003](https://typo3.org/security/advisory/typo3-core-sa-2024-003)

How to fix CVE-2024-25118

To remediate CVE-2024-25118, upgrade the affected package to a fixed version below.

• —upgrade to 8.7.57 or later

Is CVE-2024-25118 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 8.0.0, < 8.7.57

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25118
• PATCHgithub.com/TYPO3/typo3
• WEBgithub.com/TYPO3/typo3/commit/1186b2fec8a665a8f228ed66e6d60abf8407c17b
• WEBgithub.com/TYPO3/typo3/commit/c7a135c25a14b852eebe4335f21ba3c606188f3a