Improper Authentication in TYPO3 - CVE-2015-2047
Published: February 23, 2015 / Updated: May 5, 2026
Vulnerability identifier: #VU40883
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2015-2047
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: TYPO3
Affected software:
TYPO3
TYPO3
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value.
How to mitigate CVE-2015-2047
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html
- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-001/
- http://www.debian.org/security/2015/dsa-3164
- http://www.openwall.com/lists/oss-security/2015/02/22/4
- http://www.openwall.com/lists/oss-security/2015/02/22/8
- http://www.securityfocus.com/bid/72763
- http://www.securitytracker.com/id/1031824
- https://review.typo3.org/#/c/37013/