exploitDog

GHSA-r6mm-wmhf-849m

Опубликовано: 05 июн. 2024

Источник: github

Github: Прошло ревью

Описание

Time-Based Information Disclosure Vulnerability in Flow

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.

Ссылки

Пакеты

Наименование

typo3/flow

composer

Затронутые версииВерсия исправления

>= 2.3.0, < 2.3.16

2.3.16

Наименование

typo3/flow

composer

Затронутые версииВерсия исправления

>= 3.0.0, < 3.0.10

3.0.10

Наименование

typo3/flow

composer

Затронутые версииВерсия исправления

>= 3.1.0, < 3.1.7

3.1.7

Наименование

typo3/flow

composer

Затронутые версииВерсия исправления

>= 3.2.0, < 3.2.7

3.2.7

Наименование

typo3/flow

composer

Затронутые версииВерсия исправления

>= 3.3.0, < 3.3.5

3.3.5