Main Vulnerability Database Vulnerabilities #VU41580

Improper Authentication in TYPO3 - CVE-2014-3945

Published: June 3, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41580

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2014-3945

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: TYPO3

Affected software:
TYPO3

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash.

How to mitigate CVE-2014-3945

Install update from vendor's website.

Sources

http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/
http://www.debian.org/security/2014/dsa-2942
http://www.openwall.com/lists/oss-security/2014/06/03/2

Improper Authentication in TYPO3 - CVE-2014-3945

Detailed vulnerability description

How to mitigate CVE-2014-3945

Sources

Please verify you're human