Moderate severityNVD Advisory· Published Jul 20, 2021· Updated Aug 3, 2024

Information Disclosure in User Authentication

CVE-2021-32767

Description

TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3 versions 9.5.28, 10.4.18, 11.3.1 contain a patch for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 CMS versions 9.0.0–9.5.27, 10.0.0–10.4.17, and 11.0.0–11.3.0 log plain-text user credentials when debug logging is enabled.

Vulnerability

In TYPO3 CMS versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may be logged as plain-text when the log level is explicitly set to debug. Debug logging is not the default configuration but can be enabled by administrators for troubleshooting [1]. The issue occurs in the authentication process where sensitive data (e.g., login credentials, session IDs) is passed directly to the logger without sanitization [3].

Exploitation

An attacker would first need to gain access to the server's log files or a centralized logging system where debug-level logs are stored. This typically requires local file read access or compromise of the logging infrastructure. The attacker does not need to be authenticated to TYPO3 itself, but they must be able to read the log output. The vulnerability is exposed when the TYPO3 instance has debug logging enabled, which is a configuration change beyond the default setup. No user interaction is required beyond an administrator enabling debug logging [1][3].

Impact

Successful exploitation leads to disclosure of plain-text user credentials (usernames and passwords) as well as session identifiers. This information could be used to gain unauthorized access to the TYPO3 backend or frontend, depending on the credentials exposed. The compromise affects the confidentiality of stored authentication data and could lead to privilege escalation within the CMS [1][3].

Mitigation

TYPO3 has released patched versions: 9.5.28, 10.4.18, and 11.3.1 [1]. The fix, visible in commit 0b4950163b8919451964133febc65bcdfcec721c, ensures that sensitive data is sanitized (e.g., session IDs are hashed via sha1(), login data is filtered through removeSensitiveLoginDataForLoggingInfo()) before being passed to the logger [3]. Administrators should upgrade immediately. As a workaround, debug logging should remain disabled (default) in production environments until the patch can be applied.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-corePackagist	>= 7.0.0, < 7.6.52	7.6.52
typo3/cms-corePackagist	>= 8.0.0, < 8.7.41	8.7.41
typo3/cms-corePackagist	>= 9.0.0, < 9.5.28	9.5.28
typo3/cms-corePackagist	>= 10.0.0, < 10.4.18	10.4.18
typo3/cms-corePackagist	>= 11.0.0, < 11.3.1	11.3.1
typo3/cmsPackagist	>= 10.0.0, < 10.4.18	10.4.18
typo3/cmsPackagist	>= 11.0.0, < 11.3.1	11.3.1
typo3/cmsPackagist	>= 9.0.0, < 9.5.28	9.5.28

Affected products

osv-coords3 versions
pkg:bitnami/typo3 pkg:composer/typo3/cms pkg:composer/typo3/cms-core
>= 7.0.0, < 7.6.51+ 2 more
- (no CPE)range: >= 7.0.0, < 7.6.51
- (no CPE)range: >= 10.0.0, < 10.4.18
- (no CPE)range: >= 7.0.0, < 7.6.52
TYPO3/TYPO3.CMSv5
Range: >= 9.0.0, < 9.5.28

Patches

0b4950163b89

[SECURITY] Do not log sensitive data in authentication process

https://github.com/TYPO3/typo3Benni MackJul 20, 2021via ghsa

commit

2 files changed · +39 −11

typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php+37 −9 modified

@@ -335,7 +335,7 @@ protected function setSessionCookie()
             );
             $message = $isRefreshTimeBasedCookie ? 'Updated Cookie: {session}, {domain}' : 'Set Cookie: {session}, {domain}';
             $this->logger->debug($message, [
-                'session' => $sessionId,
+                'session' => sha1($sessionId),
                 'domain' => $cookieDomain,
             ]);
         }
@@ -440,14 +440,14 @@ public function checkAuthentication()
         $authInfo = $this->getAuthInfoArray();
         // Get Login/Logout data submitted by a form or params
         $loginData = $this->getLoginFormData();
-        $this->logger->debug('Login data', $loginData);
+        $this->logger->debug('Login data', $this->removeSensitiveLoginDataForLoggingInfo($loginData));
         // Active logout (eg. with "logout" button)
         if ($loginData['status'] === LoginType::LOGOUT) {
             if ($this->writeStdLog) {
                 // $type,$action,$error,$details_nr,$details,$data,$tablename,$recuid,$recpid
                 $this->writelog(SystemLogType::LOGIN, SystemLogLoginAction::LOGOUT, SystemLogErrorClassification::MESSAGE, 2, 'User %s logged out', [$this->user['username']], '', 0, 0);
             }
-            $this->logger->info('User logged out. Id: {session}', ['session' => $this->userSession->getIdentifier()]);
+            $this->logger->info('User logged out. Id: {session}', ['session' => sha1($this->userSession->getIdentifier())]);
             $this->logoff();
         }
         // Determine whether we need to skip session update.
@@ -556,7 +556,7 @@ public function checkAuthentication()
                 // Use 'auth' service to authenticate the user
                 // If one service returns FALSE then authentication failed
                 // a service might return 100 which means there's no reason to stop but the user can't be authenticated by that service
-                $this->logger->debug('Auth user', $tempuser);
+                $this->logger->debug('Auth user', $this->removeSensitiveLoginDataForLoggingInfo($tempuser, true));
                 $subType = 'authUser' . $this->loginType;
 
                 /** @var AuthenticationService $serviceObj */
@@ -641,7 +641,7 @@ public function checkAuthentication()
             // Mark the current login attempt as failed
             if (empty($tempuserArr) && $activeLogin) {
                 $this->logger->debug('Login failed', [
-                    'loginData' => $loginData
+                    'loginData' => $this->removeSensitiveLoginDataForLoggingInfo($loginData)
                 ]);
             } elseif (!empty($tempuserArr)) {
                 $this->logger->debug('Login failed', [
@@ -861,7 +861,7 @@ public function enforceNewSessionId()
      */
     public function logoff()
     {
-        $this->logger->debug('logoff: ses_id = {session}', ['session' => $this->userSession->getIdentifier()]);
+        $this->logger->debug('logoff: ses_id = {session}', ['session' => sha1($this->userSession->getIdentifier())]);
 
         $_params = [];
         foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_pre_processing'] ?? [] as $_funcRef) {
@@ -1094,7 +1094,7 @@ public function setSessionData($key, $data)
     public function setAndSaveSessionData($key, $data)
     {
         $this->userSession->set($key, $data);
-        $this->logger->debug('setAndSaveSessionData: ses_id = {session}', ['session' => $this->userSession->getIdentifier()]);
+        $this->logger->debug('setAndSaveSessionData: ses_id = {session}', ['session' => sha1($this->userSession->getIdentifier())]);
         $this->userSession = $this->userSessionManager->updateSession($this->userSession);
     }
 
@@ -1138,7 +1138,7 @@ public function isActiveLogin(ServerRequestInterface $request): bool
      */
     public function processLoginData($loginData)
     {
-        $this->logger->debug('Login data before processing', $loginData);
+        $this->logger->debug('Login data before processing', $this->removeSensitiveLoginDataForLoggingInfo($loginData));
         $subType = 'processLoginData' . $this->loginType;
         $authInfo = $this->getAuthInfoArray();
         $isLoginDataProcessed = false;
@@ -1156,11 +1156,39 @@ public function processLoginData($loginData)
         }
         if ($isLoginDataProcessed) {
             $loginData = $processedLoginData;
-            $this->logger->debug('Processed login data', $processedLoginData);
+            $this->logger->debug('Processed login data', $this->removeSensitiveLoginDataForLoggingInfo($processedLoginData));
         }
         return $loginData;
     }
 
+    /**
+     * Removes any sensitive data from the incoming data (either from loginData, processedLogin data
+     * or the user record from the DB).
+     *
+     * No type hinting is added because it might be possible that the incoming data is of any other type.
+     *
+     * @param mixed|array $data
+     * @param bool $isUserRecord
+     * @return mixed
+     */
+    protected function removeSensitiveLoginDataForLoggingInfo($data, bool $isUserRecord = false)
+    {
+        if ($isUserRecord && is_array($data)) {
+            $fieldNames = ['uid', 'pid', 'tstamp', 'crdate', 'cruser_id', 'deleted', 'disabled', 'starttime', 'endtime', 'username', 'admin', 'usergroup', 'db_mountpoints', 'file_mountpoints', 'file_permissions', 'workspace_perms', 'lastlogin', 'workspace_id', 'category_perms'];
+            $data = array_intersect_key($data, array_combine($fieldNames, $fieldNames));
+        }
+        if (isset($data['uident'])) {
+            $data['uident'] = '********';
+        }
+        if (isset($data['uident_text'])) {
+            $data['uident_text'] = '********';
+        }
+        if (isset($data['password'])) {
+            $data['password'] = '********';
+        }
+        return $data;
+    }
+
     /**
      * Returns an info array which provides additional information for auth services
      *

typo3/sysext/core/Classes/Session/UserSessionManager.php+2 −2 modified

@@ -122,7 +122,7 @@ public function createAnonymousSession(): UserSession
      */
     public function createSessionFromStorage(string $sessionId): UserSession
     {
-        $this->logger->debug('Fetch session with identifier {session}', ['session' => $sessionId]);
+        $this->logger->debug('Fetch session with identifier {session}', ['session' => sha1($sessionId)]);
         $sessionRecord = $this->sessionBackend->get($sessionId);
         return UserSession::createFromRecord($sessionId, $sessionRecord);
     }
@@ -189,7 +189,7 @@ public function fixateAnonymousSession(UserSession $session, bool $isPermanent =
     public function elevateToFixatedUserSession(UserSession $session, int $userId, bool $isPermanent = false): UserSession
     {
         $sessionId = $session->getIdentifier();
-        $this->logger->debug('Create session ses_id = {session}', ['session' => $sessionId]);
+        $this->logger->debug('Create session ses_id = {session}', ['session' => sha1($sessionId)]);
         // Delete any session entry first
         $this->sessionBackend->remove($sessionId);
         // Re-create session entry

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-34fr-fhqr-7235ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-32767ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32767.yamlghsaWEB
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32767.yamlghsaWEB
github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-34fr-fhqr-7235ghsax_refsource_CONFIRMWEB
github.com/TYPO3/typo3/commit/0b4950163b8919451964133febc65bcdfcec721cghsaWEB
github.com/TYPO3/typo3/security/advisories/GHSA-34fr-fhqr-7235ghsaWEB
typo3.org/security/advisory/typo3-core-sa-2021-012ghsax_refsource_MISCWEB
typo3.org/security/advisory/typo3-core-sa-2021-013ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000