VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 23, 2013· Updated Apr 29, 2026

CVE-2013-7079

CVE-2013-7079

Description

The OpenID extension in TYPO3 contains an open redirect vulnerability allowing remote attackers to redirect users to arbitrary sites for phishing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The OpenID extension in TYPO3 contains an open redirect vulnerability allowing remote attackers to redirect users to arbitrary sites for phishing.

Vulnerability

The OpenID extension in TYPO3 CMS versions 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 contains an open redirect vulnerability [1][2][3]. The issue exists in the OpenID authentication component and occurs because user-supplied redirect parameters are not properly validated before forwarding the browser [2]. No authentication or special privileges are required to trigger the flaw; it can be exploited by any visitor who follows a crafted link [3].

Exploitation

An attacker can craft a URL that includes a malicious external destination and trick a user into clicking it, for example via email, social media, or a third-party website [2][3]. There is no need for the attacker to be authenticated or to have any prior access to the TYPO3 instance [2]. The user is redirected from the legitimate TYPO3 site to the attacker-controlled site, making the redirection appear trusted [3].

Impact

Successful exploitation allows an attacker to redirect users to arbitrary external websites. This can be leveraged for phishing attacks, where victims are directed to a malicious page that impersonates a trusted service, potentially leading to credential theft or malware installation [2][3]. The integrity of the trust relationship between the user and the TYPO3 site is undermined, but no direct data disclosure or privilege escalation occurs on the CMS itself [2].

Mitigation

TYPO3 released security updates to fix the vulnerability. The recommended solution is to upgrade to TYPO3 version 4.5.32, 4.7.17, 6.0.12, or 6.1.7, which were published on December 10, 2013 [1][2]. Administrators should also consider removing or disabling the OpenID extension if it is not needed, as the extension is no longer maintained in later TYPO3 versions [4].

References
  1. oss-sec: CVE request: TYPO3-CORE-SA-2013-004 and TYPO3-FLOW-SA-2013-001
  2. Multiple Vulnerabilities in TYPO3 CMS
  3. NVD - CVE-2013-7079
  4. GitHub - FriendsOfTYPO3/openid: Extends TYPO3 Authentication to allow OpenID 2.0

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
friendsoftypo3/openidPackagist
>= 4.5.0, < 4.5.314.5.31
friendsoftypo3/openidPackagist
>= 4.7.0, < 4.7.164.7.16
friendsoftypo3/openidPackagist
>= 6.0.0, < 6.0.116.0.11
friendsoftypo3/openidPackagist
>= 6.1.0, < 6.1.66.1.6

Affected products

69
  • TYPO3/Typo368 versions
    cpe:2.3:a:typo3:typo3:4.5.0:*:*:*:*:*:*:*+ 67 more
    • cpe:2.3:a:typo3:typo3:4.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.10:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.11:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.12:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.13:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.14:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.15:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.16:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.17:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.18:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.19:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.20:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.21:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.22:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.23:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.24:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.25:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.26:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.27:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.28:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.29:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.30:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.31:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.5.9:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.10:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.11:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.12:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.13:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.14:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.15:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.16:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:4.7.9:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:typo3:typo3:6.1.6:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:composer/friendsoftypo3/openid
    Range: >= 4.5.0, < 4.5.31

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.