Typo3 Cms
Monthly
TYPO3 CMS 14.2.0 stores backend user passwords in cleartext within database fields (uc, user_settings) when passwords are changed through the user settings module. Remote attackers with database read access or exploiting SQL injection vulnerabilities can retrieve plaintext credentials for backend administrator accounts. Vendor patch available via GitHub commit 9a6e913f. No active exploitation confirmed at time of analysis, though high CVSS subsequent system impact scores (SC:H/SI:H/SA:H) indicate potential for privilege escalation if database is compromised.
TYPO3 CMS 14.2.0 stores backend user passwords in cleartext within database fields (uc, user_settings) when passwords are changed through the user settings module. Remote attackers with database read access or exploiting SQL injection vulnerabilities can retrieve plaintext credentials for backend administrator accounts. Vendor patch available via GitHub commit 9a6e913f. No active exploitation confirmed at time of analysis, though high CVSS subsequent system impact scores (SC:H/SI:H/SA:H) indicate potential for privilege escalation if database is compromised.