TYPO3-CORE-SA-2016-017: Information Disclosure in TYPO3 Backend
July 19, 2016
It has been discovered, that TYPO3 is susceptible to Information Disclosure.
Component Type: TYPO3 CMS
Release Date: July 19, 2016
Vulnerable subcomponent: Backend
Vulnerability Type: Information Disclosure
Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:O/RC:C
CVE: not assigned yet
Problem Description: The TYPO3 backend module stores the username of an authenticated backend user in its cache files. By guessing the file path to the cache files it is possible to receive valid backend usernames.
Solution: Update to TYPO3 versions 6.2.26, 7.6.10 or 8.2.1 that fix the problem described.
Credits: Thanks to Matthias Kappenberg who discovered and reported the issue.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.