VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-xww9-ktn9-e3ga

Essentials
Severities (22)
References (11)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-xww9-ktn9-e3ga
Aliases	CVE-2022-36105 GHSA-m392-235j-9r7r
Summary	TYPO3 CMS vulnerable to User Enumeration via Response Timing > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new `MimicServiceInterface::mimicAuthUser`, which simulates corresponding times regular processing would usually take. ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to Vautia who reported this issue and to TYPO3 core & security team members Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-007](https://typo3.org/security/advisory/typo3-core-sa-2022-007) * [Vulnerability Report on huntr.dev](https://huntr.dev/bounties/7d519735-2877-4fad-bd77-accde3e290a7/) (embargoed +30 days)
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-203	Observable Discrepancy
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00332	https://api.first.org/data/v1/epss?cve=CVE-2022-36105
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-m392-235j-9r7r
cvssv3.1	5.3	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36105.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36105.yaml
cvssv3.1	5.3	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36105.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36105.yaml
cvssv3.1	5.3	https://github.com/TYPO3/typo3
generic_textual	MODERATE	https://github.com/TYPO3/typo3
cvssv3.1	5.3	https://github.com/TYPO3/typo3/commit/f0fc9c4cd7c38207c30dd158de53ee5d9d6f41a2
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/f0fc9c4cd7c38207c30dd158de53ee5d9d6f41a2
cvssv3.1	5.3	https://github.com/TYPO3/typo3/commit/f8b83ce15d4ea275a5a5e564e5d324242f7937b6
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/f8b83ce15d4ea275a5a5e564e5d324242f7937b6
ssvc	Track	https://github.com/TYPO3/typo3/commit/f8b83ce15d4ea275a5a5e564e5d324242f7937b6
cvssv3.1	5.3	https://github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7r
cvssv3.1_qr	MODERATE	https://github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7r
generic_textual	MODERATE	https://github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7r
ssvc	Track	https://github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7r
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2022-36105
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2022-36105
cvssv3.1	5.3	https://typo3.org/security/advisory/typo3-core-sa-2022-007
generic_textual	MODERATE	https://typo3.org/security/advisory/typo3-core-sa-2022-007
ssvc	Track	https://typo3.org/security/advisory/typo3-core-sa-2022-007

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2022-36105
		https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36105.yaml
		https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36105.yaml
		https://github.com/TYPO3/typo3
		https://github.com/TYPO3/typo3/commit/f0fc9c4cd7c38207c30dd158de53ee5d9d6f41a2
		https://github.com/TYPO3/typo3/commit/f8b83ce15d4ea275a5a5e564e5d324242f7937b6
		https://github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7r
		https://nvd.nist.gov/vuln/detail/CVE-2022-36105
		https://typo3.org/security/advisory/typo3-core-sa-2022-007
cpe:2.3:a:typo3:typo3::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3::::::::
GHSA-m392-235j-9r7r		https://github.com/advisories/GHSA-m392-235j-9r7r

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36105.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36105.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/TYPO3/typo3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/TYPO3/typo3/commit/f0fc9c4cd7c38207c30dd158de53ee5d9d6f41a2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/TYPO3/typo3/commit/f8b83ce15d4ea275a5a5e564e5d324242f7937b6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:34Z/ Found at https://github.com/TYPO3/typo3/commit/f8b83ce15d4ea275a5a5e564e5d324242f7937b6

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7r

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:34Z/ Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7r

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-36105

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://typo3.org/security/advisory/typo3-core-sa-2022-007

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:34Z/ Found at https://typo3.org/security/advisory/typo3-core-sa-2022-007

Exploit Prediction Scoring System (EPSS)

Percentile	0.55429
EPSS Score	0.00332
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:23:19.249130+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-m392-235j-9r7r/GHSA-m392-235j-9r7r.json	36.1.3