TYPO3-CORE-SA-2024-003: Information Disclosure of Hashed Passwords in TYPO3 Backend Forms

Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is susceptible to information disclosure.
  • Component Type: TYPO3 CMS
  • Subcomponent: Form Engine (ext:backend)
  • Release Date: February 13, 2024
  • Vulnerability Type: Information Disclosure
  • Affected Versions: 8.0.0-8.7.56, 9.0.0-9.5.45, 10.0.0-10.4.42, 11.0.0-11.5.34, 12.0.0-12.4.10, 13.0.0
  • Severity: Medium
  • Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
  • References: CVE-2024-25118, CWE-200

Problem Description

Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account having access to password input fields. 


Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described.


Thanks to the TYPO3 framework merger Christian Kuhn and external security researchers Maximilian Beckmann, Klaus-Günther Schmidt who reported this issue, and TYPO3 security team member Oliver Hader who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.