[SECURITY] Avoid logging install tool password on hashing issue

This change avoids logging the submitted plain-text install tool
password in case the server-side hash was invalid.

Resolves: #105685
Releases: main, 13.4
Change-Id: I0b83e672d612a14442d5023361a96bd863947492
Security-Bulletin: TYPO3-CORE-SA-2025-001
Security-References: CVE-2024-55891
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/87742
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Author: ohader

Classes/Authentication/AuthenticationService.php

@@ -70,9 +70,9 @@ public function loginWithPassword($password, ServerRequestInterface $request, Se
                 $validPassword = $hashInstance->checkPassword($password, $installToolPassword);
             } catch (InvalidPasswordHashException $e) {
                 $logger = GeneralUtility::makeInstance(LogManager::class)->getLogger(__CLASS__);
-                $logger->warning(
+                $logger->error(
                     'Invalid install tool password hash specified in "BE/installToolPassword" configuration.',
-                    ['exception' => $e]
+                    ['exceptionMessage' => $e->getMessage()]
                 );
             }
         }