Insertion of Sensitive Information into Log File Affecting typo3/cms-install package, versions <13.4.3

Q: How to fix?

Upgrade typo3/cms-install to version 13.4.3 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Insertion of Sensitive Information into Log File vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PHP-TYPO3CMSINSTALL-8623407
published15 Jan 2025
disclosed14 Jan 2025
creditOliver Hader

Report a new vulnerability Found a mistake?

Introduced: 14 Jan 2025

NewCVE-2024-55891 (opens in a new tab) CWE-532 (opens in a new tab)

How to fix?

Upgrade typo3/cms-install to version 13.4.3 or higher.

Overview

typo3/cms-install is a TYPO3 extension install. The Install Tool is used for installation, upgrade, system administration and setup tasks.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to improper handling of sensitive information in the exception handling and logging mechanisms. An attacker can gain access to sensitive information, such as plaintext passwords, by exploiting the logging of incorrect password hashing mechanisms.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None