Meta
- CVSS v3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
- CWE-204
Problem
It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts.
Solution
Update to TYPO3 version 10.4.2 that fixes the problem described.
Credits
Thanks to Michael Kasten who reported this issue and to TYPO3 merger Frank Nägler who fixed the issue.
References
Problem
It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts.
Solution
Update to TYPO3 version 10.4.2 that fixes the problem described.
Credits
Thanks to Michael Kasten who reported this issue and to TYPO3 merger Frank Nägler who fixed the issue.
References