Home > Vulnerability Database > CVE-2024-30173

Mend.io Vulnerability Database

CVE-2024-30173

Date: August 19, 2025

The authentication service of the extension does not verify the OpenID Connect authentication state from the user lookup chain. Instead, the authentication service authenticates every valid frontend user from the user lookup chain, where the frontend user field “tx_oidc” is not empty.\n\nIn scenarios, where either ext:felogin is active or where `$GLOBALS['TYPO3_CONF_VARS'][‘FE’][‘checkFeUserPid’]` is disabled, an attacker can login to OpenID Connect frontend user accounts by providing a valid username and any password.

Language: PHP

Severity Score

6.5

Related Resources (5)

Url: https://typo3.org/security/advisory/typo3-ext-sa-2024-002

Url: https://github.com/xperseguers/t3ext-oidc

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-30173

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/causal/oidc/CVE-2024-30173.yaml

Url: https://www.mend.io/vulnerability-database/CVE-2024-30173

Severity Score

6.5

Weakness Type (CWE)

Improper Access Control

CWE-284

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-30173

Date: August 19, 2025

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?