GHSA-XVV6-P4WF-MVX7

Vulnerability from github – Published: 2026-04-24 16:39 – Updated: 2026-05-08 15:20
VLAI?
Summary
TYPO3 CMS Stores Cleartext Password in User Settings Module
Details

Problem

The backend user settings module (SetupModuleController) incorrectly conflates entity data (like passwords or email address) with user-interface settings (like theme, display options) when persisting changes. As a result, passwords were stored in cleartext in the uc and user_settings fields of the be_users database table.

The cleartext data was only persisted if users changed their credentials in the backend user settings module when the TYPO3 14.2.0 release was used (not in any other version).

Solution

Update to TYPO3 version 14.3.0 LTS which fixes the problem described.

[!IMPORTANT] Manual actions required

Updating to the patched release does not retroactively clean existing data. It is recommended to execute all User Settings upgrade wizards in the TYPO3 Install Tool, including the dedicated User Settings Scrubbing wizard, which sanitizes the incorrectly persisted cleartext values from the uc and user_settings fields of the be_users table. Additionally, affected backend user accounts should be assigned new passwords.

Admin Tools → Upgrade → Upgrade Wizard → User Settings Scrubbing

Credits

TYPO3 thanks Martin Clewing for reporting this issue, and TYPO3 core team members Oliver Hader, Stefan Bürk and Garvin Hicking for fixing it.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.3 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.2.0"
            },
            {
              "fixed": "14.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "14.2.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-6553"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T16:39:15Z",
    "nvd_published_at": "2026-04-21T10:16:31Z",
    "severity": "HIGH"
  },
  "details": "### Problem\nThe backend user settings module (`SetupModuleController`) incorrectly conflates entity data (like passwords or email address) with user-interface settings (like theme, display options) when persisting changes. As a result, passwords were stored in cleartext in the `uc` and `user_settings` fields of the `be_users` database table.\n\nThe cleartext data was only persisted if users changed their credentials in the backend user settings module when the TYPO3 14.2.0 release was used (not in any other version).\n\n### Solution\nUpdate to TYPO3 version 14.3.0 LTS which fixes the problem described.\n\n\u003e [!IMPORTANT]\n\u003e **Manual actions required**\n\u003e \n\u003e Updating to the patched release does not retroactively clean existing data. It is recommended to execute all User Settings upgrade wizards in the TYPO3 Install Tool, including the dedicated User Settings Scrubbing wizard, which sanitizes the incorrectly persisted cleartext values from the `uc` and `user_settings` fields of the `be_users` table. **Additionally, affected backend user accounts should be assigned new passwords.**\n\u003e \n\u003e _Admin Tools \u2192 Upgrade \u2192 Upgrade Wizard \u2192 User Settings Scrubbing_\n\n### Credits\nTYPO3 thanks Martin Clewing for reporting this issue, and TYPO3 core team members Oliver Hader, Stefan B\u00fcrk and Garvin Hicking for fixing it.",
  "id": "GHSA-xvv6-p4wf-mvx7",
  "modified": "2026-05-08T15:20:40Z",
  "published": "2026-04-24T16:39:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-xvv6-p4wf-mvx7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6553"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/9a6e913f70767f63b322ae3e2d2f4e302624c291"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3/typo3"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TYPO3 CMS Stores Cleartext Password in User Settings Module"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.