CVE-2015-2047

critical

Description

The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value.

References

https://review.typo3.org/#/c/37013/

http://www.securitytracker.com/id/1031824

http://www.securityfocus.com/bid/72763

http://www.openwall.com/lists/oss-security/2015/02/22/8

http://www.openwall.com/lists/oss-security/2015/02/22/4

http://www.debian.org/security/2015/dsa-3164

http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-001/

http://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html

Details

Source: Mitre, NVD

Published: 2015-02-23

Updated: 2016-11-30

Risk Information

CVSS v2

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical