Description

An issue was discovered in the oidc (aka OpenID Connect Authentication) extension before 4.0.0 for TYPO3. The account linking logic allows a pre-hijacking attack, leading to Account Takeover. The attack can only be exploited if the following requirements are met: (1) an attacker can anticipate the e-mail address of the user, (2) an attacker can register a public frontend user account using that e-mail address before the user's first OIDC login, and (3) the IDP returns an email field containing the e-mail address of the user,

INFO

Published Date :

2025-03-16T00:00:00.000Z

Last Modified :

2025-03-17T15:44:18.669Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-24856 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-24856.

URL Resource
https://github.com/xperseguers/t3ext-oidc/commit/877e09f6faf4c87bbb41233112ec7e30d3c902b3 cve-icon cve-icon
https://typo3.org/security/advisory/typo3-ext-sa-2025-001 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact