CVE-2024-55891: TYPO3 Information Disclosure via Exception Handling/Logger

January 14, 2025

Problem

It has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect.

Solution

Update to TYPO3 versions 13.4.3 LTS that fixes the problem described.

Credits

Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue.

References

TYPO3-CORE-SA-2025-001

References

github.com/TYPO3-CMS/install
github.com/TYPO3-CMS/install/commit/baa8089b1baf5552fab213a5761081608b0afc51
github.com/TYPO3/typo3/security/advisories/GHSA-38x7-cc6w-j27q
github.com/advisories/GHSA-38x7-cc6w-j27q
nvd.nist.gov/vuln/detail/CVE-2024-55891
typo3.org/security/advisory/typo3-core-sa-2025-001

Detect and mitigate CVE-2024-55891 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →