CVE-2022-23501 MEDIUM

CVE-2022-23501: TYPO3 vulnerable to Improper Authentication in Frontend Login

Vendor Typo3

Product typo3

Weakness CWE-287 · Improper authentication

Published December 14, 2022

Last update April 21, 2025

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

Description

TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

Key dates

Disclosure timeline

December 14, 2022 CVE published

April 21, 2025 Record updated

Identifiers

CVE CVE-2022-23501

CWE CWE-287

CVSS 5.9 / MEDIUM

Affected versions

Vendor Typo3

Product typo3

Affected >= 8.0.0, < 8.7.49

Vendor Typo3

Product typo3

Affected >= 9.0.0, < 9.5.38

Vendor Typo3

Product typo3

Affected >= 10.0.0, < 10.4.33

Vendor Typo3

Product typo3

Affected >= 11.0.0, < 11.5.20

Vendor Typo3

Product typo3

Affected >= 12.0.0, < 12.1.1