Medium severityNVD Advisory· Published Apr 2, 2024
OpenID Connect Authentication (oidc) Typo3 extension Authentication Bypass
CVE-2024-30173
Description
The authentication service of the extension does not verify the OpenID Connect authentication state from the user lookup chain. Instead, the authentication service authenticates every valid frontend user from the user lookup chain, where the frontend user field “tx_oidc” is not empty.
In scenarios, where either ext:felogin is active or where $GLOBALS['TYPO3_CONF_VARS'][‘FE’][‘checkFeUserPid’] is disabled, an attacker can login to OpenID Connect frontend user accounts by providing a valid username and any password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
causal/oidcPackagist | < 2.1.0 | 2.1.0 |
Affected products
1Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.