Main Vulnerability Database Vulnerabilities #VU39438

Cleartext transmission of sensitive information in TYPO3 - CVE-2017-6370

Published: March 17, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39438

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-6370

CWE-ID: CWE-319

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: TYPO3

Affected software:
TYPO3

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.

How to mitigate CVE-2017-6370

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/97071
https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request

Cleartext transmission of sensitive information in TYPO3 - CVE-2017-6370

Detailed vulnerability description

How to mitigate CVE-2017-6370

Sources

Please verify you're human