Skip to main content

Typo3 CVE-2020-11063

LOW
Observable Response Discrepancy (CWE-204)
2020-05-13 security-advisories@github.com
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
May 13, 2020 - 23:15 nvd
LOW 3.7

DescriptionNVD

In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.

AnalysisAI

In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-204. In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2. Affected products include: Typo3.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Typo3

View all
CVE-2017-14251 HIGH POC
8.8 Sep 11

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php i

CVE-2014-9509 HIGH POC
7.5 Jan 04

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, w

CVE-2016-4056 MEDIUM POC
6.1 Jan 23

Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers t

CVE-2023-24814 MEDIUM POC
6.1 Feb 07

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. Rated medium

CVE-2020-26227 MEDIUM POC
6.1 Nov 23

TYPO3 is an open source PHP based web content management system. Rated medium severity (CVSS 6.1), this vulnerability is

CVE-2020-15241 MEDIUM POC
6.1 Oct 08

TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vul

CVE-2020-8091 MEDIUM POC
6.1 Jan 27

svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cr

CVE-2020-11066 CRITICAL
10.0 May 14

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.

CVE-2021-21365 MEDIUM POC
5.4 Apr 27

Bootstrap Package is a theme for TYPO3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, lo

CVE-2017-6370 MEDIUM POC
5.3 Mar 17

TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote

CVE-2024-34537 MEDIUM POC
4.9 Oct 28

TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an

CVE-2022-23503 HIGH
8.8 Dec 14

TYPO3 is an open source PHP based web content management system. Rated high severity (CVSS 8.8), this vulnerability is r

Share

CVE-2020-11063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy