CVE-2021-21339
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TYPO3 | TYPO3.CMS | >= 6.2.0, <= 6.2.56 | affected |
| TYPO3 | TYPO3.CMS | >= 7.0.0, <= 7.6.50 | affected |
| TYPO3 | TYPO3.CMS | >= 8.0.0, <= 8.7.39 | affected |
| TYPO3 | TYPO3.CMS | >= 9.0.0, <= 9.5.24 | affected |
| TYPO3 | TYPO3.CMS | >= 10.0.0, <= 10.4.13 | affected |
| TYPO3 | TYPO3.CMS | >= 11.0.0, <= 11.1.0 | affected |
Weaknesses
- CWE-312: CWE-312: Cleartext Storage of Sensitive Information
ADP Enrichment
CVE Program Container
Additional References
- https://packagist.org/packages/typo3/cms-core
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch
- https://typo3.org/security/advisory/typo3-core-sa-2021-006
References
- https://packagist.org/packages/typo3/cms-core
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch
- https://typo3.org/security/advisory/typo3-core-sa-2021-006
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.