PT-2025-5587 · Typo3 · Typo3

Published

2025-01-28

Updated

2025-03-16

CVE-2025-24856

CVSS v3.1

4.2

Medium

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions TYPO3 extension versions prior to 4.0.0

Description A vulnerability in the account linking logic of the extension allows a pre-hijacking attack leading to Account Takeover. The attack can be exploited if an attacker can anticipate the email address of the user, register a public frontend user account using that email address before the user's first OIDC login, and the IDP returns the field email containing the email address of the user.

Recommendations For versions prior to 4.0.0, update the extension to version 4.0.0 as soon as possible.

Exploit

Fix

IDOR

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-348CWE-639CWE-288

Related Identifiers

CVE-2025-24856

GHSA-HJ78-P4H7-M5FV

Affected Products

Typo3

PT-2025-5587 · Typo3 · Typo3

CVE-2025-24856

Weakness Enumeration

Related Identifiers

Affected Products

References · 10