CVE-2025-24856
First published: Tue Jan 28 2025(Updated: )
## Problem Description A vulnerability in the account linking logic of the extension allows a pre-hijacking attack leading to Account Takeover. The attack can only be exploited if the following requirements are met: - An attacker can anticipate the email address of the user. - An attacker can register a public frontend user account using that email address before the user's first OIDC login. - The IDP returns the field email containing the email address of the user ## Solution An updated versions 4.0.0 is available from the TYPO3 extension manager, packagist and at https://extensions.typo3.org/extension/download/oidc/4.0.0/zip Users of the extension are advised to update the extension as soon as possible.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/causal/oidc | >=3.0.0<4.0.0 | 4.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hj78-p4h7-m5fv
- alias/CVE-2025-24856
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/source
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/description
- agent/first-publish-date
- agent/type
- agent/softwarecombine
- agent/event
- package-manager/composer