GHSA-6xh8-8pfv-53vx: Authentication Bypass in TYPO3 CMS

June 5, 2024

The default authentication service misses to invalidate empty strings as password. Therefore it is possible to authenticate backend and frontend users without password set in the database. Note: TYPO3 does not allow to create user accounts without a password. Your TYPO3 installation might only be affected if there is a third party component creating user accounts without password by directly manipulating the database.

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2016-04-12-3.yaml
github.com/advisories/GHSA-6xh8-8pfv-53vx
typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-011

Code Behaviors & Features

Detect and mitigate GHSA-6xh8-8pfv-53vx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →