{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cleartext-password/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CMS Backend"],"_cs_severities":["high"],"_cs_tags":["typo3","cleartext-password","credential-access","cve-2026-6553"],"_cs_type":"advisory","_cs_vendors":["TYPO3"],"content_html":"\u003cp\u003eTYPO3 CMS version 14.2.0 contains a vulnerability where user passwords are stored in cleartext within the \u003ccode\u003euc\u003c/code\u003e and \u003ccode\u003euser_settings\u003c/code\u003e fields of the \u003ccode\u003ebe_users\u003c/code\u003e database table. This issue arises due to the \u003ccode\u003eSetupModuleController\u003c/code\u003e incorrectly conflating entity data with user-interface settings during persistence. The vulnerability is triggered when backend users modify their credentials through the backend user settings module while using the affected TYPO3 version. This flaw, reported by Martin Clewing and addressed by the TYPO3 core team, poses a significant risk as it exposes user credentials to unauthorized access and potential compromise. Defenders should prioritize upgrading to TYPO3 version 14.3.0 LTS and executing the User Settings Scrubbing wizard.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to the TYPO3 backend, potentially through brute-force attacks or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the backend user settings module.\u003c/li\u003e\n\u003cli\u003eA legitimate user or the attacker changes their password within the module while the TYPO3 instance is running version 14.2.0.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSetupModuleController\u003c/code\u003e processes the password change request.\u003c/li\u003e\n\u003cli\u003eInstead of properly hashing the password, the \u003ccode\u003eSetupModuleController\u003c/code\u003e stores it in cleartext in the \u003ccode\u003euc\u003c/code\u003e and \u003ccode\u003euser_settings\u003c/code\u003e fields of the \u003ccode\u003ebe_users\u003c/code\u003e database table.\u003c/li\u003e\n\u003cli\u003eAn attacker with database access can now retrieve the cleartext passwords from these fields.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to impersonate the user and gain access to sensitive data or perform unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers with database access to retrieve cleartext passwords, potentially leading to complete compromise of backend user accounts. While the vulnerability is limited to TYPO3 CMS version 14.2.0, the impact on affected instances is significant, as administrative accounts could be hijacked, allowing attackers to modify website content, install malicious extensions, or exfiltrate sensitive data. This could result in data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to TYPO3 version 14.3.0 LTS to address the underlying vulnerability (reference: Solution section).\u003c/li\u003e\n\u003cli\u003eExecute the User Settings Scrubbing wizard in the TYPO3 Install Tool to sanitize existing cleartext passwords in the \u003ccode\u003euc\u003c/code\u003e and \u003ccode\u003euser_settings\u003c/code\u003e fields (reference: Solution section).\u003c/li\u003e\n\u003cli\u003eRequire affected backend user accounts to reset their passwords immediately (reference: Solution section).\u003c/li\u003e\n\u003cli\u003eMonitor database access logs for suspicious activity, especially access to the \u003ccode\u003ebe_users\u003c/code\u003e table (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential unauthorized access attempts following password changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-typo3-cleartext-passwords/","summary":"TYPO3 CMS version 14.2.0 stores passwords in cleartext in the `uc` and `user_settings` fields of the `be_users` database table when users change their credentials in the backend user settings module.","title":"TYPO3 CMS 14.2.0 Stores Passwords in Cleartext","url":"https://feed.craftedsignal.io/briefs/2024-01-typo3-cleartext-passwords/"}],"language":"en","title":"CraftedSignal Threat Feed — Cleartext-Password","version":"https://jsonfeed.org/version/1.1"}