CVE-2024-25119: 
PHP vulnerability analysis and mitigation

TYPO3, an open source PHP-based web content management system, was found to have a security vulnerability (CVE-2024-25119) where the plaintext value of $GLOBALS['SYS']['encryptionKey'] was exposed in the TYPO3 Install Tool user interface. The vulnerability affects TYPO3 versions 8.0.0-8.7.56, 9.0.0-9.5.45, 10.0.0-10.4.42, 11.0.0-11.5.34, 12.0.0-12.4.10, and 13.0.0 (TYPO3 Advisory, GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The issue stems from the exposure of the encryption key in the editing forms of the TYPO3 Install Tool user interface, which could be used to generate cryptographic hashes for verifying HTTP request parameters' authenticity. The vulnerability is categorized as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The exposure of the encryption key could allow attackers to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. However, the impact is limited as exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions (TYPO3 Advisory).

Users are advised to update to the patched versions: TYPO3 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1. These versions contain the necessary fixes to address the vulnerability (TYPO3 Advisory).