Skip to content

Cleartext storage of session identifier

High severity GitHub Reviewed Published Nov 17, 2020 in TYPO3/typo3 • Updated Feb 5, 2024

Package

composer typo3/cms (Composer)

Affected versions

>= 10.0.0, < 10.4.10
>= 9.0.0, < 9.5.23
>= 8.7.0, < 8.7.38

Patched versions

10.4.10
9.5.23
8.7.38
composer typo3/cms-core (Composer)
>= 9.0.0, < 9.5.23
>= 10.0.0, < 10.4.10
>= 8.7.0, < 8.7.38
9.5.23
10.4.10
8.7.38

Description

User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.

Solution

Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.

Credits

Thanks to TYPO3 security team member Helmut Hummel who reported this issue and to TYPO3 core & security team members Benni Mack & Oliver Hader as well as TYPO3 contributor Markus Klein who fixed the issue.

References

@ohader ohader published to TYPO3/typo3 Nov 17, 2020
Reviewed Nov 23, 2020
Published by the National Vulnerability Database Nov 23, 2020
Published to the GitHub Advisory Database Nov 23, 2020
Last updated Feb 5, 2024

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2020-26228

GHSA ID

GHSA-954j-f27r-cj52

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.