[SECURITY] Avoid showing password hashes in backend edit forms
Backend form fields of TCA `type=password` should never expose the persisted value - especially, in case the value is explicitly configured not to be hashed (having TCA `hashed=false`). Resolves: #101965 Releases: main, 13.0, 12.4, 11.5 Change-Id: Ie05a708185c621b8a2120ad7851ac4caf180893f Security-Bulletin: TYPO3-CORE-SA-2024-003 Security-References: CVE-2024-25118 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82947 Reviewed-by:Oliver Hader <oliver.hader@typo3.org> Tested-by:
Showing
- Build/Sources/TypeScript/backend/form-engine-validation.ts 6 additions, 1 deletionBuild/Sources/TypeScript/backend/form-engine-validation.ts
- typo3/sysext/backend/Classes/Form/Element/PasswordElement.php 17 additions, 2 deletions...3/sysext/backend/Classes/Form/Element/PasswordElement.php
- typo3/sysext/backend/Resources/Public/JavaScript/form-engine-validation.js 1 addition, 1 deletion...end/Resources/Public/JavaScript/form-engine-validation.js
- typo3/sysext/core/Tests/Acceptance/Application/FormEngine/ElementsBasicPasswordCest.php 5 additions, 1 deletion...ance/Application/FormEngine/ElementsBasicPasswordCest.php
Please register or sign in to comment