Home > Vulnerability Database > WS-2018-0154

Mend.io Vulnerability Database

WS-2018-0154

Good to know:

Date: July 12, 2018

It has been discovered that TYPO3's Salted Password system extension (which is a mandatory system component) is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance. In standard TYPO3 core distributions stored passwords using the blowfish hashing algorithm can be overridden when using MD5 as the default hashing algorithm by just knowing a valid username. Per default the Portable PHP hashing algorithm (PHPass) is used which is not vulnerable.Affected Versions: 7.0.0 to 7.6.29

Language: PHP

Severity Score

7.3

Related Resources (2)

Url: https://github.com/TYPO3/TYPO3.CMS/commit/79260b2d9176096b33fd6ba97a255d9d8febbd30

Url: https://www.mend.io/vulnerability-database/WS-2018-0154

Severity Score

7.3

Weakness Type (CWE)

Authentication Bypass Using an Alternate Path or Channel

CWE-288

Top Fix

Upgrade Version

Upgrade to version TYPO3_7-6-30,TYPO3_8-7-17,v9.3.1

Learn More

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

WS-2018-0154

Good to know:

Date: July 12, 2018

Language: PHP

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?