Observable Response Discrepancy in TYPO3 CMS
CVE-2020-11063

3.7LOW

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 13 May 2020

What is CVE-2020-11063?

In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.

Affected Version(s)

TYPO3 CMS >= 10.4.0, <= 10.4.1

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-3...

x_refsource_CONFIRM

https://github.com/TYPO3/typo3/commit/14929b98ecda0ce6732...

x_refsource_MISC

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 13, 2020
Vulnerability Reserved
Mar 30, 2020

Typo3

What is CVE-2020-11063?

Affected Version(s)

References

CVSS V3.1

Timeline