CVE-2024-25119

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 8.7.57 ELTS TYPO3 versions prior to 9.5.46 ELTS TYPO3 versions prior to 10.4.43 ELTS TYPO3 versions prior to 11.5.35 LTS TYPO3 versions prior to 12.4.11 LTS TYPO3 versions prior to 13.0.1

Description The plaintext value of $GLOBALS['SYS']['encryptionKey'] was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this issue requires an administrator-level backend user account with system maintainer permissions.

Recommendations Update to TYPO3 version 8.7.57 ELTS or later Update to TYPO3 version 9.5.46 ELTS or later Update to TYPO3 version 10.4.43 ELTS or later Update to TYPO3 version 11.5.35 LTS or later Update to TYPO3 version 12.4.11 LTS or later Update to TYPO3 version 13.0.1 or later