When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following:

• account contains empty login credentials (username and/or password)
• account is incomplete and contains weak credentials (username and/or password)

Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.

This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.

References

• TYPO3/typo3@b3608d1
• TYPO3/typo3@e4d0cff
• https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-01-22-2.yaml
• https://typo3.org/security/advisory/typo3-core-sa-2019-002