It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.
github.com/advisories/GHSA-f777-f784-36gm
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2018-12-11-4.yaml
github.com/TYPO3/typo3/commit/13328b0f74ac589a20b021db814dfa672581c26a
github.com/TYPO3/typo3/commit/918e50e4d20d88c7e40ad3bb134267d07706b0b1
github.com/TYPO3/typo3/commit/a5359491e3fb3164a6ba96a66c8e67fbb9971a4c
typo3.org/security/advisory/typo3-core-sa-2018-009