#VU64267 Inclusion of Sensitive Information in Log Files in TYPO3
Vulnerability identifier: #VU64267
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-532
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
TYPO3
Web applications /
CMS
Vendor: TYPO3
Description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to software stores system internal credentials or keys (e.g. database credentials) in plain text in exception handlers, when logging the complete exception stack trace. A remote user can view the stack trace and gain access to sensitive information.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
TYPO3: 10.0.0 - 10.4.28, 9.5.0 - 9.5.34, 9.0.0 - 9.4.0, 8.0.0 - 8.7.46, 7.0.0 - 7.6.56
External links
http://typo3.org/security/advisory/typo3-core-sa-2022-002/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
