ASA-2019-00019 – TYPO3: Security misconfiguration for backend user accounts

Allele Security Alert



ASA-2019-00019, TYPO3-CORE-SA-2019-002


Security misconfiguration for backend user accounts





Affected version(s)

TYPO3 CMS versions 8.0.0 up to 8.7.22
TYPO3 CMS versions 9.0.0 up to 9.5.3

Fixed version(s)

TYPO3 CMS version 8.7.23
TYPO3 CMS version 9.5.4

Proof of concept



When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed – which might be entity type or the admin flag for backend users – the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following:

  • account contains empty login credentials (username and/or password)
  • account is incomplete and contains weak credentials (username and/or password)

Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.

Technical details



Oliver Eglseder and Benni Mack (TYPO3 core team)


TYPO3-CORE-SA-2019-002: Security Misconfiguration for Backend User Accounts

TYPO3 9.5.4 and 8.7.23 security releases published

[TYPO3-announce] Announcing TYPO3 v9.5.4 and v8.7.23 security releases

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.