TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3 versions 9.5.28, 10.4.18, 11.3.1 contain a patch for this vulnerability.
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Typo3 | Typo3 | 7.0.0 (including) | 7.6.51 (including) |
| Typo3 | Typo3 | 8.0.0 (including) | 8.7.40 (including) |
| Typo3 | Typo3 | 9.0.0 (including) | 9.5.27 (including) |
| Typo3 | Typo3 | 10.0.0 (including) | 10.4.17 (including) |
| Typo3 | Typo3 | 11.0.0 (including) | 11.3.0 (including) |
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: