Moderate severityNVD Advisory· Published Dec 14, 2022· Updated Apr 21, 2025

TYPO3 vulnerable to Improper Authentication in Frontend Login

CVE-2022-23501

Description

TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 frontend login restrictions can be bypassed via ambiguous usernames, allowing attackers to access different accounts if credentials are known.

Vulnerability

Overview

CVE-2022-23501 is an improper authentication vulnerability in the TYPO3 content management system affecting versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1. The issue lies in the frontend login mechanism, where restricting access to specific users organized in different storage folders (partitions) can be bypassed. Attackers can exploit username ambiguity to gain access to a different account, although valid credentials for that account are required [1].

Exploitation

Conditions

The vulnerability stems from the way storage folder identifiers (storagePid) are handled during authentication. The commit that fixes the issue moves the storage PID from a publicly exposed form variable to a signed request token, preventing tampering [3]. An attacker must have valid credentials for a target account and exploit the ambiguity in how usernames are resolved across partitions to log in as a user from a different storage folder than intended [1][2].

Impact and

Mitigation

Successful exploitation could allow an authenticated attacker to access another user's account, potentially gaining elevated privileges or access to restricted content within the TYPO3 instance. The vulnerability is fully patched in the following releases: 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, and 12.1.1 [1]. Users are strongly advised to upgrade immediately. No workarounds are mentioned in the advisory.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-corePackagist	< 8.7.49	8.7.49
typo3/cms-corePackagist	>= 9.0.0, < 9.5.38	9.5.38
typo3/cms-corePackagist	>= 10.0.0, < 10.4.33	10.4.33
typo3/cms-corePackagist	>= 11.0.0, < 11.5.20	11.5.20
typo3/cms-corePackagist	>= 12.0.0, < 12.1.1	12.1.1
typo3/cmsPackagist	>= 10.0.0, < 10.4.33	10.4.33
typo3/cmsPackagist	>= 11.0.0, < 11.5.20	11.5.20
typo3/cmsPackagist	>= 12.0.0, < 12.1.1	12.1.1

Affected products

osv-coords3 versions
pkg:bitnami/typo3 pkg:composer/typo3/cms pkg:composer/typo3/cms-core
< 8.7.49+ 2 more
- (no CPE)range: < 8.7.49
- (no CPE)range: >= 10.0.0, < 10.4.33
- (no CPE)range: < 8.7.49
TYPO3/Typo3v5
Range: >= 8.0.0, < 8.7.49

Patches

28be9cdb3fed

[SECURITY] Use signed storage PID during frontend authentication

https://github.com/TYPO3/typo3Oliver HaderDec 13, 2022via ghsa

commit

6 files changed · +50 −13

typo3/sysext/felogin/Classes/Controller/LoginController.php+2 −3 modified

@@ -103,13 +103,13 @@ public function loginAction(): ResponseInterface
             [
                 'cookieWarning' => $this->showCookieWarning,
                 'messageKey' => $this->getStatusMessageKey(),
-                'storagePid' => implode(',', $this->getStorageFolders()),
                 'permaloginStatus' => $this->getPermaloginStatus(),
                 'redirectURL' => $this->redirectHandler->getLoginFormRedirectUrl($this->configuration, $this->isRedirectDisabled()),
                 'redirectReferrer' => $this->request->hasArgument('redirectReferrer') ? (string)$this->request->getArgument('redirectReferrer') : '',
                 'referer' => $this->requestHandler->getPropertyFromGetAndPost('referer'),
                 'noRedirect' => $this->isRedirectDisabled(),
-                'requestToken' => RequestToken::create('core/user-auth/fe'),
+                'requestToken' => RequestToken::create('core/user-auth/fe')
+                    ->withMergedParams(['pid' => implode(',', $this->getStorageFolders())]),
             ]
         );
 
@@ -154,7 +154,6 @@ public function logoutAction(int $redirectPageLogout = 0): ResponseInterface
             [
                 'cookieWarning' => $this->showCookieWarning,
                 'user' => $this->userService->getFeUserData(),
-                'storagePid' => implode(',', $this->getStorageFolders()),
                 'noRedirect' => $this->isRedirectDisabled(),
                 'actionUri' => $this->redirectHandler->getLogoutFormRedirectUrl($this->configuration, $redirectPageLogout, $this->isRedirectDisabled()),
             ]

typo3/sysext/felogin/Classes/Event/ProcessRequestTokenListener.php+41 −0 added

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\FrontendLogin\Event;
+
+use TYPO3\CMS\Core\Authentication\Event\BeforeRequestTokenProcessedEvent;
+use TYPO3\CMS\Core\Security\RequestToken;
+use TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication;
+
+/**
+ * Process request token.
+ */
+final class ProcessRequestTokenListener
+{
+    public function __invoke(BeforeRequestTokenProcessedEvent $event): void
+    {
+        $user = $event->getUser();
+        $requestToken = $event->getRequestToken();
+        if (!$user instanceof FrontendUserAuthentication || !$requestToken instanceof RequestToken) {
+            return;
+        }
+        $pidParam = (string)($requestToken->params['pid'] ?? '');
+        if ($user->checkPid) {
+            $user->checkPid_value = $pidParam;
+        }
+    }
+}

typo3/sysext/felogin/Configuration/Services.yaml+5 −0 modified

@@ -6,3 +6,8 @@ services:
 
   TYPO3\CMS\FrontendLogin\:
     resource: '../Classes/*'
+
+  TYPO3\CMS\FrontendLogin\Event\ProcessRequestTokenListener:
+    tags:
+      - name: event.listener
+        identifier: felogin-process-request-token

typo3/sysext/felogin/Resources/Private/Templates/Login/Login.html+0 −1 modified

@@ -74,7 +74,6 @@ <h3>
 
         <div class="felogin-hidden">
             <f:form.hidden name="logintype" value="login"/>
-            <f:form.hidden name="pid" value="{storagePid}"/>
             <f:if condition="{redirectURL}!=''">
                 <f:form.hidden name="redirect_url" value="{redirectURL}" />
             </f:if>

typo3/sysext/felogin/Resources/Private/Templates/Login/Logout.html+0 −1 modified

@@ -28,7 +28,6 @@ <h3>
 
         <div class="felogin-hidden">
             <f:form.hidden name="logintype" value="logout"/>
-            <f:form.hidden name="pid" value="{storagePid}"/>
         </div>
     </fieldset>
 </f:form>

typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php+2 −8 modified

@@ -210,14 +210,8 @@ public function isRefreshTimeBasedCookie()
     public function getLoginFormData(ServerRequestInterface $request)
     {
         $loginData = parent::getLoginFormData($request);
-        // List of page IDs where to look for frontend user records during login
-        if ($loginData['status'] === LoginType::LOGIN) {
-            $pid = $request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? 0;
-            if ($pid) {
-                $this->checkPid_value = implode(',', GeneralUtility::intExplode(',', (string)$pid));
-            }
-        } else {
-            // Needed in order to fetch users which are already logged-in due to fetching from session
+        // Needed in order to fetch users which are already logged-in due to fetching from session
+        if ($loginData['status'] !== LoginType::LOGIN) {
             $this->checkPid_value = null;
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jfp7-79g7-89rfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-23501ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23501.yamlghsaWEB
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23501.yamlghsaWEB
github.com/TYPO3/typo3/commit/28be9cdb3fed02ce4cfc6fa2d39f7d8e2266ecedghsaWEB
github.com/TYPO3/typo3/security/advisories/GHSA-jfp7-79g7-89rfghsax_refsource_CONFIRMWEB
typo3.org/security/advisory/typo3-core-sa-2022-013ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000