Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                              CERT-Renater

                  Note d'Information No. 2025/VULN057

_____________________________________________________________________

DATE                : 29/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running "OpenID Connect Authentication"
                                   (oidc) for TYPO3.

=====================================================================
https://typo3.org/security/advisory/typo3-ext-sa-2025-001
_____________________________________________________________________

 Tue. 28th January, 2025
TYPO3-EXT-SA-2025-001: Account Takeover in extension "OpenID Connect
Authentication" (oidc)

Categories: Development Created by Torben Hansen
It has been discovered that the extension "OpenID Connect
Authentication" (oidc) is susceptible to Account Takeover.

    Release Date: January 28, 2025
    Component Type: Third party extension. This extension is not a
part of the TYPO3 default installation.
    Component: "OpenID Connect Authentication" (oidc)
    Composer Package Name: causal/oidc
    Vulnerability Type: Account Takeover
    Affected Versions: 3.0.0 and below
    Severity: Low
    Suggested CVSS v3.1: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
    References: CVE-2025-24856, CWE-639, CWE-288


Problem Description

A vulnerability in the account linking logic of the extension allows
a pre-hijacking attack leading to Account Takeover. The attack can
only be exploited if the following requirements are met:

    An attacker can anticipate the email address of the user.
    An attacker can register a public frontend user account using
that email address before the user's first OIDC login.
    The IDP returns the field email containing the email address of
the user


Solution

An updated versions 4.0.0 is available from the TYPO3 extension
manager, packagist and at
https://extensions.typo3.org/extension/download/oidc/4.0.0/zip

Users of the extension are advised to update the extension as soon
as possible.

Important: The fixed version contains a breaking change, because
the “username” field has been removed from the OIDC authentication
service user lookup. Users relying on this functionality can use
the AuthenticationFetchUserEvent to adjust the lookup criteria,
but must ensure that the lookup criteria does not include a field
name with user-generated content.


Credits

Thanks to Hannes Lau for reporting the issue and to Markus Klein
for providing an updated version of the extension.


General Advice

Follow the recommendations that are given in the TYPO3 Security
Guide. Please subscribe to the typo3-announce mailing list.

        
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================