CVE-2024-25118: 
PHP vulnerability analysis and mitigation

CVE-2024-25118 affects TYPO3, an open-source PHP-based web content management system. The vulnerability was discovered in February 2024 and involves password hashes being exposed in the TYPO3 backend user interface editing forms. This security issue affects multiple versions of TYPO3 from 8.0.0 through 13.0.0 (TYPO3 Advisory, GitHub Advisory).

The vulnerability is classified as an information disclosure issue (CWE-200) with a CVSS v3.1 base score of 6.5 (MEDIUM) according to NVD, while GitHub rates it at 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability specifically involves password hashes being reflected in the editing forms of the TYPO3 backend user interface (NVD).

The exposure of password hashes in the backend interface allows attackers to potentially crack the plaintext passwords using brute force techniques. However, the impact is limited as exploiting this vulnerability requires a valid backend user account (TYPO3 Advisory).

Users are advised to update to the patched versions: TYPO3 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1. There are no known workarounds for this issue (GitHub Advisory).

The vulnerability was discovered through collaborative efforts, with credit given to TYPO3 framework merger Christian Kuhn and external security researchers Maximilian Beckmann and Klaus-Günther Schmidt for reporting the issue. TYPO3 security team member Oliver Hader was responsible for implementing the fix (TYPO3 Advisory).